[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Tickets without realm?



These are tickets obtained using KDC referrals.  They are stored both 
with and without
realm information so that they can be found both ways.  There is in fact 
only one ticket
obtained from the KDC.

Jeffrey Altman


Jelmer Vernooij wrote:
> Hi,
>
> For some reason everybody in the realm here always end up with two tickets for 
> each service they connect to, once with the realm in the principal and once without. 
> For example:
>
> Credentials cache: FILE:/tmp/krb5cc_1000
>         Principal: jelmer@VERNSTOK.NL
>
>   Issued           Expires          Principal
> Jan 27 23:49:44  Jan 28 09:49:42  krbtgt/VERNSTOK.NL@VERNSTOK.NL
> Jan 27 23:49:47  Jan 28 09:49:42  host/gwenhwyvar.vernstok.nl@
> Jan 27 23:49:47  Jan 28 09:49:42  host/gwenhwyvar.vernstok.nl@VERNSTOK.NL
>
> or, klist -v:
>
> Credentials cache: FILE:/tmp/krb5cc_1000
>         Principal: jelmer@VERNSTOK.NL
>     Cache version: 4
>
> Server: krbtgt/VERNSTOK.NL@VERNSTOK.NL
> Client: jelmer@VERNSTOK.NL
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
> Ticket length: 257
> Auth time:  Jan 27 23:49:44 2008
> End time:   Jan 28 09:49:42 2008
> Ticket flags: initial
> Addresses: addressless
>
> Server: host/gwenhwyvar.vernstok.nl@
> Client: jelmer@VERNSTOK.NL
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
> Ticket length: 287
> Auth time:  Jan 27 23:49:44 2008
> Start time: Jan 27 23:49:47 2008
> End time:   Jan 28 09:49:42 2008
> Ticket flags: transited-policy-checked
> Addresses: addressless
>
> Server: host/gwenhwyvar.vernstok.nl@VERNSTOK.NL
> Client: jelmer@VERNSTOK.NL
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
> Ticket length: 287
> Auth time:  Jan 27 23:49:44 2008
> Start time: Jan 27 23:49:47 2008
> End time:   Jan 28 09:49:42 2008
> Ticket flags: transited-policy-checked
> Addresses: addressless
>
> I'm using heimdal both as KDC and client. The version of Heimdal on the KDC is
> 0.7.2.
>
> Here is the krb5.conf that is used on both the kdc and the clients:
>
> [libdefaults]
> #    default_cc_name = KCM:%{uid}
> 	dns_lookup_realm = true
> 	dns_lookup_kdc = true
>
> [login]
> 	krb4_convert = false
> 	krb4_get_tickets = false
>
> (this is also fails if I set default_realm=VERNSTOK.NL)
>
> Strangely enough, I can only find one ticket request for host/gwenhwyvar.vernstok.nl 
> in the KDC logs, and that does include the realm name.  What could be going wrong here?
>
> Cheers,
>
> Jelmer

S/MIME Cryptographic Signature