[37291] in Kerberos
Re: Incremental propagation when KDCs are clients of a different realm
daemon@ATHENA.MIT.EDU (Toby Blake)
Mon Nov 2 11:36:04 2015
Mime-Version: 1.0
From: Toby Blake <toby@inf.ed.ac.uk>
In-Reply-To: <563785D3.1070702@mit.edu>
Date: Mon, 2 Nov 2015 16:35:38 +0000
Message-Id: <F4C4E7CE-B107-4C1D-8959-F42F2118BA04@inf.ed.ac.uk>
To: Greg Hudson <ghudson@mit.edu>, kerberos@mit.edu
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Greg,
> On 2 Nov 2015, at 15:48, Greg Hudson <ghudson@mit.edu> wrote:
>
> On 11/02/2015 09:48 AM, Toby Blake wrote:
>> I'm trying to set up incremental propagation on a master-slave KDC
>> configuration where the KDCs are clients of a different realm to the one they
>> serve.
>
> kpropd appears to insist on using the default realm for its iprop code,
> even if a "-r realm" parameter is given. This is probably a bug.
>
> As a workaround, you could set KRB5_CONFIG to point to a copy of
> krb5.conf file with default_realm changed to the KDC realm.
Thanks for the reply - I've tried this on the slave KDC, but not on the master
(which is where I'm seeing GSSAPI errors due to a mismatch in realm
assumption).
I'll play around a little more and report back.
Cheers
Toby
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
