[krbdev.mit.edu #8332] gss_init_sec_context w/host@<hostname> fails with anonymous tickets
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Dec 24 00:26:17 EST 2015
This is a known problem, although I don't seem to have created a ticket
for it. It's a pretty serious impediment to using anonymous tickets,
which is unfortunate. Basically, you can contact a target service if its
realm is known and is the same as the realm where the client got
anonymous tickets; if the service realm is unknown or is a foreign realm,
get_creds tries to start with a TGT for WELLKNOWN:ANONYMOUS and fails.
An outline of the solution is at
http://k5wiki.kerberos.org/wiki/Projects/StartRealmCCconfig, but we
haven't implemented it yet.
A possible workaround for local-realm use is to configure a
[domain_realm] on the client so that it doesn't try to use the referral
realm for host-based service names.
More information about the krb5-bugs
mailing list