Getting two service principals, one of them with an empty realm

Tom Yu tlyu at MIT.EDU
Tue Jun 8 21:57:21 EDT 2010


Rahul Amaram <rahul at synovel.com> writes:

> Hi,
> I did not get any response for this query. If nobody has an idea, I was 
> planning to submit this a bug report. Looking forward to a response.
>
> Thanks,
> Rahul.
>
> On Wednesday 02 June 2010 11:59 AM, Rahul Amaram wrote:
>> Hi,
>> I am strangely getting two service principals for every service I use
>> and one of them has an empty realm. Below is a sample output.
>>
>> $ klist
>> Ticket cache: FILE:/tmp/krb5cc_1001_Xc3DVv
>> Default principal: xxxxxx at SYNOVEL.COM
>>
>> Valid starting     Expires            Service principal
>> 06/02/10 11:45:07  06/02/10 21:45:07  krbtgt/SYNOVEL.COM at SYNOVEL.COM
>>       renew until 06/03/10 11:44:57
>> 06/02/10 11:45:27  06/02/10 21:45:07  imap/scs.synovel.com@
>>       renew until 06/03/10 11:44:57
>> 06/02/10 11:45:27  06/02/10 21:45:07  imap/scs.synovel.com at SYNOVEL.COM
>>       renew until 06/03/10 11:44:57

This is expected behavior that is a side effect of the way that
service principal realm referrals work.  The empty realm name
indicates that the realm of the principal is unknown.  A copy of the
ticket is present in the cache under its actual service principal name
and realm to allow both referral and non-referral lookups to work.



More information about the Kerberos mailing list