[28062] in Kerberos
Re: automatic domain_realm mapping broken in 1.6?
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Wed Jul 18 15:31:34 2007
In-Reply-To: <20070718174931.GA27361@weiser.dinsnail.net>
Mime-Version: 1.0 (Apple Message framework v752.2)
Message-Id: <87A8E235-C2A1-4A6F-8498-8D3809E4FCC0@mit.edu>
From: Ken Raeburn <raeburn@mit.edu>
Date: Wed, 18 Jul 2007 15:31:23 -0400
To: Michael Weiser <michael@weiser.dinsnail.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Jul 18, 2007, at 13:49, Michael Weiser wrote:
> 07/18/07 19:17:14 07/19/07 05:17:01 host/sol9.example.org@
> renew until 07/19/07 19:16:58
Without the domain_realm mapping, we use some code that first tries
to ask the KDC for the correct realm, using the "referrals" support
originally proposed by Microsoft. (Our KDC doesn't support that
mechanism, but theirs does, and this helps the MIT clients work
better in an Active Directory environment.) Internally, we represent
"don't know the realm, ask the KDC" as an empty string used as the
realm name. Unfortunately, in the current implementation, that means
that's what shows up in klist, too.
> Also, to make the kerberised logon work at all I have to add the same
> [domain_realm] entry to krb5.conf on the server. Otherwise sshd says:
I think this bug is fixed in 1.6.2; please give that a try.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos