On Tue 2007-08-28 15:31:44 -0400, Sam Hartman wrote: > Can I get you to remove the domain_realm mapping, use the etch > libraries, and set forwardable = false in /etc/krb5.conf. > > Then run kinit to get non-forwardable tickets and try curl.
ok, i just did. i used an etch system and tested with both lenny and etch versions of the krb5 libraries. Initially, the ticket that i had already had the forwardable flag, though, so i kdestroy'ed it, and fetched a new non-forwardable ticket. This makes 4 tests, total (etch/lenny libs, non/forwardable tickets). That is, krb5.conf was the same under both tests, but one of the tests was with an older ticket that was forwardable. > Do you see additional kdc transactions? none of the 4 tests showed any attempts to contact either the primary KDC or the secondary. > Does it work? With the etch libraries, i can successfully authenticate (initial HTTP 401 response, follwed by successful 200). with the lenny libs, curl refuses to Negotiate (terminates after 401 response): 0 [EMAIL PROTECTED]:~/src/curl/9$ grep HTTP/ */*/headers.txt forwardable/etchlibs/headers.txt:HTTP/1.1 401 Authorization Required forwardable/etchlibs/headers.txt:HTTP/1.1 200 OK forwardable/lennylibs/headers.txt:HTTP/1.1 401 Authorization Required nonforwardable/etchlibs/headers.txt:HTTP/1.1 401 Authorization Required nonforwardable/etchlibs/headers.txt:HTTP/1.1 200 OK nonforwardable/lennylibs/headers.txt:HTTP/1.1 401 Authorization Required 0 [EMAIL PROTECTED]:~/src/curl/9$ There was no significant time delay under any of these tests -- they all completed in < 1 second, once the initial DNS queries had been cached. What does this tell you? Is there anything else i can do to help debug? Thanks for looking into this. Do you have any recommended documentation for understanding the nuances of krb5 forwarding and proxying? I clearly need to read up on this stuff more. Regards, --dkg
pgpf45vVhd4Gx.pgp
Description: PGP signature