[30170] in Kerberos
Re: krb5_sname_to_principal question
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Jul 29 20:04:21 2008
To: kerberos@mit.edu
In-Reply-To: <20080729215448.GA5598@lizzy.catnook.local> (Jos Backus's message
of "Tue\, 29 Jul 2008 14\:54\:48 -0700")
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 29 Jul 2008 17:03:23 -0700
Message-ID: <87sktsi6gk.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jos Backus <jos@catnook.com> writes:
> On Tue, Jul 29, 2008 at 12:26:17PM -0700, Russ Allbery wrote:
>> I believe this was to support server-side referrals. The idea is that
>> the client will ask the server for a principal with an empty realm and
>> the server will figure out the realm.
> *nod* As it stands, without a matching domain_realm entry, the realm
> remains empty.
> This broke our setup between CentOS 4 (Kerberos 1.5) and CentOS 5
> (Kerberos 1.6.1) , where ssh'in into a box fails with `Wrong principal
> in request'. Adding some debugging from 1.6.3 reveals that the offered
> principal is `host/fqdn@REALM' whereas the expected principal (returned
> from krb5_sname_to_principal()) is `host/fqdn@'.
Yes, you're having the same situation that we did, where the change to
support referrals broke other software. My only experience with it has
been in the area of where it broke things.
We solved the problems we ran into by making sure that we had domain_realm
mappings on the client, since otherwise ksu stopped working. I think ksu
has now been fixed in Subversion, though.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
