[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Tickets without realm?
On Mon, 28 Jan 2008 00:11:17 +0100
Jelmer Vernooij <jelmer@vernstok.nl> wrote:
> Hi,
>
> For some reason everybody in the realm here always end up with two tickets for
> each service they connect to, once with the realm in the principal and once without.
> For example:
>
> Credentials cache: FILE:/tmp/krb5cc_1000
> Principal: jelmer@VERNSTOK.NL
>
> Issued Expires Principal
> Jan 27 23:49:44 Jan 28 09:49:42 krbtgt/VERNSTOK.NL@VERNSTOK.NL
> Jan 27 23:49:47 Jan 28 09:49:42 host/gwenhwyvar.vernstok.nl@
> Jan 27 23:49:47 Jan 28 09:49:42 host/gwenhwyvar.vernstok.nl@VERNSTOK.NL
Funny I just ran into this testing:
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: hmuller@W.NET
Valid starting Expires Service principal
01/27/08 17:24:18 01/28/08 03:24:46 krbtgt/W.NET@W.NET
renew until 01/28/08 17:24:18
01/27/08 17:25:42 01/28/08 03:24:46 krbtgt/B.W.NET@W.NET
renew until 01/28/08 17:24:18
01/27/08 17:25:29 01/28/08 03:24:46 HTTP/s0.foo.net@W.NET
renew until 01/28/08 17:24:18
01/27/08 17:44:51 01/28/08 03:24:46 host/nano.foo.net@W.NET
renew until 01/28/08 17:24:18
01/27/08 17:57:17 01/28/08 03:24:46 host/ls1.w.net@
renew until 01/28/08 17:24:18
01/27/08 17:59:37 01/28/08 03:24:46 HTTP/ls1.w.net@
renew until 01/28/08 17:24:18
But the KDC is W2K3.
The client is Firefox on Linux which I assume is MIT but it's not directly
linked with gssapi so I'm not sure what it's using (although I do not
have Heimdal installed for system use on the machine).
The HTTP server is using a modified Heimdal 0.7.2 but for HTTP I'm not
sure it's really being exercised such that it would have any influence
over how the principal name was constructed by the client.
Normally I never see this happen but I was testing cross domain stuff and
messing around with DNS trying to get FF to negotiate with another domain.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/