Kerberos ticket forwarding and Reverse DNS

You might get some confusing errors when attempting to login to your network from an outside network. The application reports “GSSAPI error: Miscellaneous failure” or “GSSAPI mech specific error: Server not found in Kerberos database”. Your Kerberos KDC log shows:

Aug 21 13:01:49 xanadu krb5kdc[30485]: TGS_REQ (3 etypes {16 1 3}) UNKNOWN_SERVER: authtime 1187288
525,  nemesis@REALM.COM for krbtgt/ISP.COM@REALM.COM, Server not found in Kerberos database

What is important to note here is that the request is for a ticket for krbtgt/ISP.COM and not krbtgt/REALM.COM.

This happens because the client computer looks up the reverse DNS of the server computer, and attempts to get a ticket for the realm it appears to be a member of.

In this case, the server can be resolved to IP address by, but the Reverse DNS is controlled by the ISP, and so a reverse lookup on the server’s IP address gives a hostname that is on the ISP’s domain somewhere.

There are only a few ways to fix this:

  • Correct the public Reverse DNS for the remote server’s IP address (difficult to impossible depending on your ISP)
  • Add appropriate Reverse DNS entries for the remote server’s IP address to the client’s DNS server, and make the client’s DNS server authoritative for the remote server’s subnet
  • Add appropriate entries for the remote server to the client’s HOSTS file

The last option is probably the least painful if you are just trying to get seamless access from your work computer to home, for example.

Leave a Reply