[36714] in Kerberos
Re: Wrong principal in request error on gss_accept_sec_context()
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Jan 6 13:52:48 2015
Message-ID: <54AC2EEA.7020809@mit.edu>
Date: Tue, 06 Jan 2015 13:52:26 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: "Xie, Hugh" <hugh.xie@bankofamerica.com>,
"'<kerberos@mit.edu>'" <Kerberos@mit.edu>
In-Reply-To: <7E270C3427928E499F189C5636C52CDC45C770BF@smtp_mail.bankofamerica.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 01/05/2015 09:36 PM, Xie, Hugh wrote:
> 1. /efs/dist/kerberos/mit/1.11.5/exec/bin/klist -k -t $KRB5_KTNAME
> Keytab name: FILE: /tmp/myacct.keytab
> KVNO Timestamp Principal
> ---- ------------------- ------------------------------------------------------
> 2 12/17/2014 15:30:08 myacct@COMMON.BANKOFAMERICA.COM
[In the klist output:]
> #1> Client: winlogin @ COMMON.BANKOFAMERICA.COM
> Server: HTTP/host2.site123.baml.com @ COMMON.BANKOFAMERICA.COM
If the client is authenticating to HTTP/host2.site123.baml.com then the
server needs that key in its keytab, though it doesn't have to be listed
under that name.
>From the information given so far, I cannot tell whether the myacct key
ought to be the same as the HTTP/host2.site123.baml.com key through some
kind of principal aliasing. I am particularly confused by these two
statements:
On Fri Dec 19 13:33:11 EST 2014:
> We are using the same account on both hosts the Principal in the keytab is "myacct at COMMON.BANKOFAMERICA.COM"
On: Sat Dec 20 21:28:33 EST 2014
> No it is different computer accounts.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
