Spurious tickets when using DNS realm configuration (and cross realm TGT)

david@crossfamilyweb.com david at crossfamilyweb.com
Sun Jul 28 18:49:57 EDT 2019

On 2019-07-28 17:08, david at crossfamilyweb.com wrote:
> [snip for brevity]
> So it gets the cross realm TGT, and then doesn't save it? after being
> short-circuit evaluated in the KDC?
> I do not (that I remember, or can find) have any CAPATHS setup on 
> either
> the client or the server.  The only thing that
> seems unifying is that the 'home' realm for the KDC is EXAMPLE.ORG (it
> is kerberos.example.org).

Ok.. so I made a bunch of changes to the krb5.conf on the kdc to remove 
the default realm as well as to add in the other realms, additionally I 
added 'dns_lookup_realm' and 'dns_lookup_kdc' to the krb5.conf on the 
client machine as well as the kdc, and now I see the intermedate tgts in 
all cases.   So its definitely config driven, and things appear to be 
setup correctly; I wish I understood the subtleties of these behaviors 
more (was it removing the default_realm?  was it the DNS entries? adding 
the remaining realms?)

More information about the krbdev mailing list