[28066] in Kerberos
Re: automatic domain_realm mapping broken in 1.6?
daemon@ATHENA.MIT.EDU (Michael Weiser)
Thu Jul 19 14:24:02 2007
Date: Thu, 19 Jul 2007 19:28:37 +0200
From: Michael Weiser <michael@weiser.dinsnail.net>
To: Ken Raeburn <raeburn@mit.edu>
Message-ID: <20070719172837.GA26844@weiser.dinsnail.net>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87A8E235-C2A1-4A6F-8498-8D3809E4FCC0@mit.edu>
X-MailScanner-From: michael@weiser.dinsnail.net
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Jul 18, 2007 at 03:31:23PM -0400, Ken Raeburn wrote:
> > 07/18/07 19:17:14 07/19/07 05:17:01 host/sol9.example.org@
> > renew until 07/19/07 19:16:58
> Without the domain_realm mapping, we use some code that first tries to ask
> the KDC for the correct realm, using the "referrals" support originally
> proposed by Microsoft. (Our KDC doesn't support that mechanism, but theirs
> does, and this helps the MIT clients work better in an Active Directory
> environment.) Internally, we represent "don't know the realm, ask the KDC"
> as an empty string used as the realm name. Unfortunately, in the current
> implementation, that means that's what shows up in klist, too.
No worries then - I was anxious because I thought it might be a security
relevant bug.
> > Also, to make the kerberised logon work at all I have to add the same
> > [domain_realm] entry to krb5.conf on the server. Otherwise sshd says:
> I think this bug is fixed in 1.6.2; please give that a try.
Yes, 1.6.2 seems to fix it (just compiled and LD_LIBRARY_PATH'ed it into
my existing openssl/openssh installation).
Thanks for the fast response!
--
bye, Micha
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos