Christian Salzmann <[email protected]> writes: > Yes I am:
> $ kvno host/<system>@<UX realm> > host/<system>@<UX realm>: kvno = 3 > But I cannot obtain a cross-realm ticket if I remove the > "allow_weak_crypto = true" directive: But you said that's in /etc/krb5.conf, so that can't be the problem. pam-krb5 just makes the same library calls as kinit and kvno, so if they work and see that setting, so will pam-krb5. Unless maybe you have multiple krb5.conf files in different locations and are setting KRB5_CONFIG or something? That seems unlikely. >> It may be that the MIT Kerberos code isn't doing cross-realm ticket >> verification properly, but I do think this is supposed to work. You >> may have a missing domain_realm mapping, though. Do you have any >> domain_realm settings for the hostname of the server in /etc/krb5.conf? > We have been running this cross-realm setup for years. We even migrated > successfully to a new AD realm and a new UX realm. At the moment, a few > hundred production hosts (pure lenny) work this way: users live in AD > world, machines in UX world. Right, but squeeze has much newer Kerberos libraries, so just because it was working with lenny doesn't mean that your krb5.conf file has all the details required for it to work in squeeze. Do you have any domain_realm settings? If the Kerberos libraries aren't figuring out which realm the local host is in, that could definitely explain the problem that you're seeing. The error message is consistent with the Kerberos libraries getting a service ticket for a different host principal than the one that's in the keytab, either because they disagree with the keytab about what the local host name is or because they are getting a service ticket for a host principal in the wrong realm. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
