automatic domain_realm mapping broken in 1.6?

Ken Raeburn raeburn at MIT.EDU
Wed Jul 18 15:31:23 EDT 2007


On Jul 18, 2007, at 13:49, Michael Weiser wrote:
> 07/18/07 19:17:14  07/19/07 05:17:01  host/sol9.example.org@
>         renew until 07/19/07 19:16:58

Without the domain_realm mapping, we use some code that first tries  
to ask the KDC for the correct realm, using the "referrals" support  
originally proposed by Microsoft.  (Our KDC doesn't support that  
mechanism, but theirs does, and this helps the MIT clients work  
better in an Active Directory environment.)  Internally, we represent  
"don't know the realm, ask the KDC" as an empty string used as the  
realm name.  Unfortunately, in the current implementation, that means  
that's what shows up in klist, too.

> Also, to make the kerberised logon work at all I have to add the same
> [domain_realm] entry to krb5.conf on the server. Otherwise sshd says:

I think this bug is fixed in 1.6.2; please give that a try.

Ken



More information about the Kerberos mailing list