[31266] in Kerberos
Solved RE: Keytab server principal cuts off at @
daemon@ATHENA.MIT.EDU (Charles Breite)
Tue Jun 16 12:08:25 2009
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 16 Jun 2009 11:07:57 -0500
Message-ID: <5D490E0402B4D14F836B5C4436D5949A8AD774@VMEXCHANGE2.alterscrap.com>
In-Reply-To: <5D490E0402B4D14F836B5C4436D5949A8AD6F5@VMEXCHANGE2.alterscrap.com>
From: "Charles Breite" <Charles.Breite@altertrading.com>
To: "Charles Breite" <Charles.Breite@altertrading.com>,
"Simon Wilkinson" <simon@sxw.org.uk>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
During the user mapping account creation you must name the login name as
HTTP/username.domain.com. I was not using the FQDN since AD adds that at
the end. End result is....HTTP/username.domain.com@domain.com.
It had my keytab messed up. I can test the keytab successfully now.
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of Charles Breite
Sent: Tuesday, June 16, 2009 7:19 AM
To: Simon Wilkinson
Cc: kerberos@mit.edu
Subject: RE: Keytab server principal cuts off at @
Yes is my krb5.conf...
[libdefaults]
default_realm = DOMAIN.COM
clockskew = 300
#dns_lookup_kdc = true
#dns_lookup_realm = true
# We have to have the realm spec here still for CAS
[realms]
DOMAIN.COM = {
kdc = vmad1.domain.com
default_domain = domain.com
admin_server = vmad1.domain.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
DOMAIN = DOMAIN.COM
.DOMAIN = DOMAIN.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
use_shmem = sshd
}
-----Original Message-----
From: Simon Wilkinson [mailto:simon@sxw.org.uk]
Sent: Tuesday, June 16, 2009 2:37 AM
To: Charles Breite
Cc: kerberos@mit.edu
Subject: Re: Keytab server principal cuts off at @
On 15 Jun 2009, at 19:30, Charles Breite wrote:
> I am wondering if anyone has seen this where the principal is
> cutoff....I have regenerated the keytab several times and re-checked
> the
> windows accounts we are using for the auth.... Shouldn't the principal
> be HTTP/servername.domain.com@domain.com
A lack of a realm usually means that Kerberos is attempting to find
the realm using referrals. Have you got a default realm set in your
krb5.conf?
S.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
