Luis Daniel Lucio Quiroz wrote:
The problem I see on uskng pam krb is that ticket is on server not on workstation. Maybe you could use flag addressless to fix this issue. but I am not sure.
No. The problem as I understand it, is that on the same machine doing a kinit vs using the pam_krb5 give diffentet results. The pam_krb5 in effect is doing a kinit for you. One works the other does not.
A network trace would help a lot.
If Wyllys is correct then doing a ls -l on the ticket cache after the kinit could give a clue. A ticket without a PAC is 200-300 bytes. With a PAC it would be more like 1000 bytes.
LD
Le Vendredi 18 Mars 2005 07:10, Wyllys Ingersoll a �crit :
Douglas E. Engert wrote:
I've just run another test and discovered that I can successfully log into the host initially (via PAM kerberos library and SSH), and I don't get error 52. I've got a ticket in my cache and everything. Kerb error 52 only occurs if I'm using kinit from the shell.
You could be right on the cut over point, and maybe addressless vs with address tickets keep the ticket just small enough.
When the client does not do pre-authentication, does AD still send PAC data? I thought it did not, but I'm not certain.
-Wyllys ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
