Solved RE: Keytab server principal cuts off at @

Charles Breite Charles.Breite at altertrading.com
Tue Jun 16 12:07:57 EDT 2009 

During the user mapping account creation you must name the login name as
HTTP/username.domain.com. I was not using the FQDN since AD adds that at
the end. End result is....HTTP/username.domain.com at domain.com.  
It had my keytab messed up. I can test the keytab successfully now.


-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Charles Breite
Sent: Tuesday, June 16, 2009 7:19 AM
To: Simon Wilkinson
Cc: kerberos at mit.edu
Subject: RE: Keytab server principal cuts off at @

Yes is my krb5.conf...

[libdefaults]
        default_realm = DOMAIN.COM
        clockskew = 300
        #dns_lookup_kdc = true
        #dns_lookup_realm = true

# We have to have the realm spec here still for CAS
[realms]
        DOMAIN.COM = {
                kdc = vmad1.domain.com
                default_domain = domain.com
                admin_server = vmad1.domain.com
        }

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        DOMAIN = DOMAIN.COM
        .DOMAIN = DOMAIN.COM
[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 1
                use_shmem = sshd
        }

-----Original Message-----
From: Simon Wilkinson [mailto:simon at sxw.org.uk] 
Sent: Tuesday, June 16, 2009 2:37 AM
To: Charles Breite
Cc: kerberos at mit.edu
Subject: Re: Keytab server principal cuts off at @


On 15 Jun 2009, at 19:30, Charles Breite wrote:
> I am wondering if anyone has seen this where the principal is
> cutoff....I have regenerated the keytab several times and re-checked  
> the
> windows accounts we are using for the auth.... Shouldn't the principal
> be  HTTP/servername.domain.com at domain.com

A lack of a realm usually means that Kerberos is attempting to find  
the realm using referrals. Have you got a default realm set in your  
krb5.conf?

S.


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list