automatic domain_realm mapping broken in 1.6?
Ken Raeburn
raeburn at MIT.EDU
Wed Jul 18 15:31:23 EDT 2007
On Jul 18, 2007, at 13:49, Michael Weiser wrote:
> 07/18/07 19:17:14 07/19/07 05:17:01 host/sol9.example.org@
> renew until 07/19/07 19:16:58
Without the domain_realm mapping, we use some code that first tries
to ask the KDC for the correct realm, using the "referrals" support
originally proposed by Microsoft. (Our KDC doesn't support that
mechanism, but theirs does, and this helps the MIT clients work
better in an Active Directory environment.) Internally, we represent
"don't know the realm, ask the KDC" as an empty string used as the
realm name. Unfortunately, in the current implementation, that means
that's what shows up in klist, too.
> Also, to make the kerberised logon work at all I have to add the same
> [domain_realm] entry to krb5.conf on the server. Otherwise sshd says:
I think this bug is fixed in 1.6.2; please give that a try.
Ken
More information about the Kerberos
mailing list