[31858] in Kerberos
Re: Wrong principal in request
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Jan 4 20:42:32 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <4B4261C8.9060002@kickflop.net> (Jeff Blaine's message of "Mon,
04 Jan 2010 16:46:48 -0500")
Date: Mon, 04 Jan 2010 17:42:25 -0800
Message-ID: <87eim5z5ry.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jeff Blaine <jblaine@kickflop.net> writes:
> I happened to notice this (note the missing realm) after a
> failed GSSAPI attempt to the SSH server (mega):
> [root@mega ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: jblaine@FOO
> Valid starting Expires Service principal
> 01/04/10 16:14:51 01/11/10 16:14:51 krbtgt/FOO@FOO
> renew until 01/18/10 16:14:51
> 01/04/10 16:15:08 01/11/10 16:14:51 host/mega@
> renew until 01/18/10 16:14:51
Ah, that means that the client doesn't know what the local realm is and is
therefore trying to ask the server via referrals, but the server isn't
answering that question.
> I updated /etc/krb5.conf to include
> [domain_realm]
> mega = FOO
> And all is well when connecting from mega to mega with OpenSSH
> and GSSAPI options.
> All is well, too, when connecting from sol10 SPARC stock SSH
> to mega using GSSAPI options.
> PuTTY-GSSAPI as the client still gives me the same error :(
Did you update the Windows equivalent (krb5.ini, I think)?
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
