[krbdev.mit.edu #8332] gss_init_sec_context w/host@<hostname> fails with anonymous tickets

[Russ Allbery via RT]

"Greg Hudson via RT" <rt-comment at krbdev.mit.edu> writes:

> This is a known problem, although I don't seem to have created a ticket
> for it.  It's a pretty serious impediment to using anonymous tickets,
> which is unfortunate.

For the record, anonymous tickets are pretty awesome, and I'm already
using the new anonymous support in remctl to great effect to solve a
system keytab bootstrapping problem I've been worrying at for years.
Everything seems to work fine as long as one stays within the same realm
and specifies the server to authenticate to using the Kerberos principal
syntax.  The limitation isn't too bad for me and is pretty easy to work
around.

> An outline of the solution is at 
> http://k5wiki.kerberos.org/wiki/Projects/StartRealmCCconfig, but we 
> haven't implemented it yet.

Ah, yes, now the problem makes lots of sense.

> A possible workaround for local-realm use is to configure a
> [domain_realm] on the client so that it doesn't try to use the referral
> realm for host-based service names.

Oh, that explains why I didn't encounter this problem in my dev
environment.

Unfortunately, the environment I'm working in has no DNS domain structure
that maps to Kerberos realms, so I literally have separate TXT records for
each of a very large number of machines to map them to the appropriate
realms.  [domain_realm] doesn't work very well for that.  :/  (I'd love
some way to put wildcard matches into [domain_realm] rather than just
domains; I can potentially fix the domain structure, but that's a rather
invasive change.)

Apparently you need an actual [domain_realm] section; DNS TXT records and
enabling DNS domain-realm lookups isn't sufficient?

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>