[19959] in Kerberos_V5_Development
Re: Spurious tickets when using DNS realm configuration (and cross
daemon@ATHENA.MIT.EDU (david@crossfamilyweb.com)
Sun Jul 28 18:50:18 2019
MIME-Version: 1.0
Date: Sun, 28 Jul 2019 18:49:57 -0400
From: <david@crossfamilyweb.com>
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <13a838fe4e4216e598957705ace3af82@crossfamilyweb.com>
Message-ID: <398634bf589978a0951b7aabc9cbabc0@crossfamilyweb.com>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 2019-07-28 17:08, david@crossfamilyweb.com wrote:
> [snip for brevity]
> So it gets the cross realm TGT, and then doesn't save it? after being
> short-circuit evaluated in the KDC?
>
> I do not (that I remember, or can find) have any CAPATHS setup on
> either
> the client or the server. The only thing that
> seems unifying is that the 'home' realm for the KDC is EXAMPLE.ORG (it
> is kerberos.example.org).
Ok.. so I made a bunch of changes to the krb5.conf on the kdc to remove
the default realm as well as to add in the other realms, additionally I
added 'dns_lookup_realm' and 'dns_lookup_kdc' to the krb5.conf on the
client machine as well as the kdc, and now I see the intermedate tgts in
all cases. So its definitely config driven, and things appear to be
setup correctly; I wish I understood the subtleties of these behaviors
more (was it removing the default_realm? was it the DNS entries? adding
the remaining realms?)
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
