Spurious tickets when using DNS realm configuration (and cross realm TGT)
david@crossfamilyweb.com
david at crossfamilyweb.com
Sun Jul 28 18:49:57 EDT 2019
On 2019-07-28 17:08, david at crossfamilyweb.com wrote:
> [snip for brevity]
> So it gets the cross realm TGT, and then doesn't save it? after being
> short-circuit evaluated in the KDC?
>
> I do not (that I remember, or can find) have any CAPATHS setup on
> either
> the client or the server. The only thing that
> seems unifying is that the 'home' realm for the KDC is EXAMPLE.ORG (it
> is kerberos.example.org).
Ok.. so I made a bunch of changes to the krb5.conf on the kdc to remove
the default realm as well as to add in the other realms, additionally I
added 'dns_lookup_realm' and 'dns_lookup_kdc' to the krb5.conf on the
client machine as well as the kdc, and now I see the intermedate tgts in
all cases. So its definitely config driven, and things appear to be
setup correctly; I wish I understood the subtleties of these behaviors
more (was it removing the default_realm? was it the DNS entries? adding
the remaining realms?)
More information about the krbdev
mailing list