Incremental propagation when KDCs are clients of a different realm
Toby Blake
toby at inf.ed.ac.uk
Mon Nov 2 11:35:38 EST 2015
Hi Greg,
> On 2 Nov 2015, at 15:48, Greg Hudson <ghudson at mit.edu> wrote:
>
> On 11/02/2015 09:48 AM, Toby Blake wrote:
>> I'm trying to set up incremental propagation on a master-slave KDC
>> configuration where the KDCs are clients of a different realm to the one they
>> serve.
>
> kpropd appears to insist on using the default realm for its iprop code,
> even if a "-r realm" parameter is given. This is probably a bug.
>
> As a workaround, you could set KRB5_CONFIG to point to a copy of
> krb5.conf file with default_realm changed to the KDC realm.
Thanks for the reply - I've tried this on the slave KDC, but not on the master
(which is where I'm seeing GSSAPI errors due to a mismatch in realm
assumption).
I'll play around a little more and report back.
Cheers
Toby
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
More information about the Kerberos
mailing list