Christian Salzmann <[email protected]> writes:
> Please note also that login succeeds if I use the password for a user
> principal in the UX realm. Setting "default realm" to <UX realm> in
> krb5.conf, login succeeds via gssapi.
Okay, let me see if I understand.
The UX realm is MIT Kerberos, and the host/* key in the keytab for the
host is in the UX realm? But the default realm listed in krb5.conf is the
AD realm?
If you kinit to the principal in the AD realm, and then run:
kvno host/<system>
where <system> is the local FQDN, are you able to obtain cross-realm
service tickets for the host key for that system?
It may be that the MIT Kerberos code isn't doing cross-realm ticket
verification properly, but I do think this is supposed to work. You may
have a missing domain_realm mapping, though. Do you have any domain_realm
settings for the hostname of the server in /etc/krb5.conf?
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
