krb5_sname_to_principal question
Jos Backus
jos at catnook.com
Tue Jul 29 17:54:48 EDT 2008
On Tue, Jul 29, 2008 at 12:26:17PM -0700, Russ Allbery wrote:
> I believe this was to support server-side referrals. The idea is that the
> client will ask the server for a principal with an empty realm and the
> server will figure out the realm.
*nod* As it stands, without a matching domain_realm entry, the realm remains
empty.
This broke our setup between CentOS 4 (Kerberos 1.5) and CentOS 5 (Kerberos
1.6.1) , where ssh'in into a box fails with `Wrong principal in request'.
Adding some debugging from 1.6.3 reveals that the offered principal is
`host/fqdn at REALM' whereas the expected principal (returned from
krb5_sname_to_principal()) is `host/fqdn@'.
> I don't know exactly how this works, though.
Neither do I.
--
Jos Backus
jos at catnook.com
More information about the Kerberos
mailing list