[28066] in Kerberos

home help back first fref pref prev next nref lref last post

Re: automatic domain_realm mapping broken in 1.6?

daemon@ATHENA.MIT.EDU (Michael Weiser)
Thu Jul 19 14:24:02 2007

Date: Thu, 19 Jul 2007 19:28:37 +0200
From: Michael Weiser <michael@weiser.dinsnail.net>
To: Ken Raeburn <raeburn@mit.edu>
Message-ID: <20070719172837.GA26844@weiser.dinsnail.net>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87A8E235-C2A1-4A6F-8498-8D3809E4FCC0@mit.edu>
X-MailScanner-From: michael@weiser.dinsnail.net
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On Wed, Jul 18, 2007 at 03:31:23PM -0400, Ken Raeburn wrote:

> > 07/18/07 19:17:14  07/19/07 05:17:01  host/sol9.example.org@
> >         renew until 07/19/07 19:16:58
>  Without the domain_realm mapping, we use some code that first tries to ask 
>  the KDC for the correct realm, using the "referrals" support originally 
>  proposed by Microsoft.  (Our KDC doesn't support that mechanism, but theirs 
>  does, and this helps the MIT clients work better in an Active Directory 
>  environment.)  Internally, we represent "don't know the realm, ask the KDC" 
>  as an empty string used as the realm name.  Unfortunately, in the current 
>  implementation, that means that's what shows up in klist, too.

No worries then - I was anxious because I thought it might be a security
relevant bug.

> > Also, to make the kerberised logon work at all I have to add the same
> > [domain_realm] entry to krb5.conf on the server. Otherwise sshd says:
>  I think this bug is fixed in 1.6.2; please give that a try.

Yes, 1.6.2 seems to fix it (just compiled and LD_LIBRARY_PATH'ed it into
my existing openssl/openssh installation).

Thanks for the fast response!
-- 
bye, Micha
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post