[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
More, re: Heimdal compatibility with MIT Krb 4
>Date: Sat, 8 Mar 2003 17:51:29 -0800
>Solaris 7 with the old MITv4 code it came with always fails with an
>unknown principal message. The kdc log on a NetBSD 1.6L machine
>says it's requesting a krbtgt.HOTZ.JPL.NASA.GOV@A ticket. I don't
>see the "A" in a tcpdump of the network traffic. The krb5.conf file
>is:
>
>>[libdefaults]
>> v4_instance_resolve = true
>> clockskew = 300
>>[realms]
>> JPL.NASA.GOV = {
>> kdc = eis-fil-afsdb08.jpl.nasa.gov
>> kdc = eis-fil-afsdb09.jpl.nasa.gov
>> kdc = eis-fil-afsdb10.jpl.nasa.gov
>> admin_server = kerberos.jpl.nasa.gov
>> }
>> HOTZ.JPL.NASA.GOV = {
>> kdc = machotz.jpl.nasa.gov
>> admin_server = machotz.jpl.nasa.gov
>> v4_domains = jpl.nasa.gov
>> }
>>[domain_realm]
>> .jpl.nasa.gov = JPL.NASA.GOV
>> jpl.nasa.gov = JPL.NASA.GOV
>> machotz.jpl.nasa.gov = HOTZ.JPL.NASA.GOV
>>[kdc]
>> enable-kerberos4 = true
>> enable-kaserver = true
>>[kadmin]
>> use_v4_salt = true
There's actually a little more information in the kdc log.
>2003-03-09T21:04:05 AS-REQ hotz.@HOTZ.JPL.NASA.GOV from
>IPv4:137.78.212.49 for krbtgt.HOTZ.JPL.NASA.GOV@A\x87\xb0\xa8
>2003-03-09T21:04:05 Server not found in database:
>krbtgt.HOTZ.JPL.NASA.GOV@A\x87\xb0\xa8: Failed to convert v4
>principal
That should be krbtgt/HOTZ.JPL.NASA.GOV@HOTZ.JPL.NASA.GOV ("/" not
".") and the AS-REQ shouldn't have a "." between "hotz" and "@".
Just for completeness the MITv4 config files are:
>redhotz# more /etc/krb.conf
>HOTZ.JPL.NASA.GOV
>HOTZ.JPL.NASA.GOV machotz.jpl.nasa.gov admin server
>redhotz# more /etc/krb.realms
>.jpl.nasa.gov HOTZ.JPL.NASA.GOV
>jpl.nasa.gov HOTZ.JPL.NASA.GOV
Does the Heimdal kdc obey the convention that kill -HUP makes it
reread its config files?
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu