automatic domain_realm mapping broken in 1.6?
Michael Weiser
michael at weiser.dinsnail.net
Thu Jul 19 13:28:37 EDT 2007
On Wed, Jul 18, 2007 at 03:31:23PM -0400, Ken Raeburn wrote:
> > 07/18/07 19:17:14 07/19/07 05:17:01 host/sol9.example.org@
> > renew until 07/19/07 19:16:58
> Without the domain_realm mapping, we use some code that first tries to ask
> the KDC for the correct realm, using the "referrals" support originally
> proposed by Microsoft. (Our KDC doesn't support that mechanism, but theirs
> does, and this helps the MIT clients work better in an Active Directory
> environment.) Internally, we represent "don't know the realm, ask the KDC"
> as an empty string used as the realm name. Unfortunately, in the current
> implementation, that means that's what shows up in klist, too.
No worries then - I was anxious because I thought it might be a security
relevant bug.
> > Also, to make the kerberised logon work at all I have to add the same
> > [domain_realm] entry to krb5.conf on the server. Otherwise sshd says:
> I think this bug is fixed in 1.6.2; please give that a try.
Yes, 1.6.2 seems to fix it (just compiled and LD_LIBRARY_PATH'ed it into
my existing openssl/openssh installation).
Thanks for the fast response!
--
bye, Micha
More information about the Kerberos
mailing list