automatic domain_realm mapping broken in 1.6?

Michael Weiser michael at weiser.dinsnail.net
Thu Jul 19 13:28:37 EDT 2007


On Wed, Jul 18, 2007 at 03:31:23PM -0400, Ken Raeburn wrote:

> > 07/18/07 19:17:14  07/19/07 05:17:01  host/sol9.example.org@
> >         renew until 07/19/07 19:16:58
>  Without the domain_realm mapping, we use some code that first tries to ask 
>  the KDC for the correct realm, using the "referrals" support originally 
>  proposed by Microsoft.  (Our KDC doesn't support that mechanism, but theirs 
>  does, and this helps the MIT clients work better in an Active Directory 
>  environment.)  Internally, we represent "don't know the realm, ask the KDC" 
>  as an empty string used as the realm name.  Unfortunately, in the current 
>  implementation, that means that's what shows up in klist, too.

No worries then - I was anxious because I thought it might be a security
relevant bug.

> > Also, to make the kerberised logon work at all I have to add the same
> > [domain_realm] entry to krb5.conf on the server. Otherwise sshd says:
>  I think this bug is fixed in 1.6.2; please give that a try.

Yes, 1.6.2 seems to fix it (just compiled and LD_LIBRARY_PATH'ed it into
my existing openssl/openssh installation).

Thanks for the fast response!
-- 
bye, Micha



More information about the Kerberos mailing list