On Thu, Jul 07, 2005 at 02:22:59PM -0700, Phil Dibowitz wrote: > On Wed, Jul 06, 2005 at 07:21:17PM -0400, Kevin Coffman wrote: > > My guess is that your krbtgt/[EMAIL PROTECTED] principal still > > only has a des key. 'cpw -randkey -keepold' on that principal to > > generate other keys. > > Nice. That works. I didn't realize that had to be updated. Which leaves me > with a few more questions: > > 1. What's the difference between the principals [EMAIL PROTECTED] and > krbtgt/[EMAIL PROTECTED] ? They both exist, but krbtgt/ISD.USC.EDU seems > to be the ACTUAL ticket granting principal, while [EMAIL PROTECTED] has the > DISALLOW_ALL_TIX attribute.
OK, so going back, I find that krbtgt/[EMAIL PROTECTED] is for crossrealm trust. [EMAIL PROTECTED] was our original tgt. However, now all tickets seem to be coming from krbtgt/[EMAIL PROTECTED] Now the person who setup krbtgt/[EMAIL PROTECTED] and the cross-realm trust was 2 admins ago - did they make a mistake, or is this a bug in kerb, or is this expected behavior? In other words, my klist looks like this: [EMAIL PROTECTED] phil]$ klist Ticket cache: FILE:/tmp/krb5cc_36070 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 07/07/05 14:34:25 07/08/05 00:34:23 krbtgt/[EMAIL PROTECTED] [EMAIL PROTECTED] phil]$ But I would think it SHOULD look like this: [EMAIL PROTECTED] phil]$ klist Ticket cache: FILE:/tmp/krb5cc_36070 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 07/07/05 14:34:25 07/08/05 00:34:23 [EMAIL PROTECTED] [EMAIL PROTECTED] phil]$ I get the eerie feeling that this is due to a misconfiguration of our cross-realm trust... Hmmm. -- Phil Dibowitz Systems Architect and Administrator Enterprise Infrastructure / ISD / USC UCC 180 - 213-821-5427
pgppI2VVXlIrx.pgp
Description: PGP signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
