[30169] in Kerberos
Re: krb5_sname_to_principal question
daemon@ATHENA.MIT.EDU (Jos Backus)
Tue Jul 29 17:55:46 2008
Date: Tue, 29 Jul 2008 14:54:48 -0700
From: Jos Backus <jos@catnook.com>
To: kerberos@mit.edu
Message-ID: <20080729215448.GA5598@lizzy.catnook.local>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87hca8mqzq.fsf@windlord.stanford.edu>
Reply-To: jos@catnook.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Jul 29, 2008 at 12:26:17PM -0700, Russ Allbery wrote:
> I believe this was to support server-side referrals. The idea is that the
> client will ask the server for a principal with an empty realm and the
> server will figure out the realm.
*nod* As it stands, without a matching domain_realm entry, the realm remains
empty.
This broke our setup between CentOS 4 (Kerberos 1.5) and CentOS 5 (Kerberos
1.6.1) , where ssh'in into a box fails with `Wrong principal in request'.
Adding some debugging from 1.6.3 reveals that the offered principal is
`host/fqdn@REALM' whereas the expected principal (returned from
krb5_sname_to_principal()) is `host/fqdn@'.
> I don't know exactly how this works, though.
Neither do I.
--
Jos Backus
jos at catnook.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
