On 7/4/2017 3:05 AM, Andreas Haupt wrote:

> ... and on the KDC side:
> 
> Jul  4 08:33:46 kdc-7.3 kdc[12045]: TGS-REQ <myaccount>@MYREALM from 
> IPv4:<MY-IP> for krbtgt/CERN.CH@MYREALM [renewable, forwardable]
> Jul  4 08:33:46 kdc-7.3 kdc[12045]: Server not found in database: 
> krbtgt/CERN.CH@MYREALM: Success

I would like to see more of the log entries that follow as well as a
packet capture.  There is not enough detail here to say what is going on.

> This answer seems to make the client think the KDC is somehow malfunctioning
> and repeats the request with any KDC combination (all KDCs it finds in
> /etc/krb5.conf on ports 88 and 750 here). Of course, it causes long timeouts
> before the ssh client gives up and asks for a password.
> 
> Any idea to restore the old "Heimdal-1.2-style" behaviour? Is this
> considered a bug or misconfiguration?

I can't tell you since I don't have enough information.

What is MYREALM?

What is the client?

What is the configuration of the client?

What is the configuration of the KDC?

My guess is the difference in behavior is related to Kerberos Referrals
and/or implicit hierarchical  capaths both of which are not present in 1.2.

Jeffrey Altman


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to