On Jun 29, 2006, at 19:41, Mike Friedman wrote: >> If these KDCs are for two different realms, can you list both >> config files in KRB5_CONFIG? > > But then how do I get the *default realm* set correctly? In my > script, I do a parse_name() to create a principal object > corresponding to the TGS service principal (e.g., krbtgt/ > <realm>@<realm>). (It's this principal object that I must pass to > get_in_tkt_with_password()). And, unfortunately, parse_name() > complains if my config file doesn't have a default realm, so > defining both realms in the [realms] stanza doesn't do me any good.
krb5_set_default_realm ? > But if I do define a default realm, then that's the KDC to which I > get connected, regardless of the realm name I specify when > constructing the TGS service principal name itself. That sounds like a bug. If this is for getting initial tickets, and you're specifying the non-default realm in both the client principal name and the TGS service principal name, it should only contact that non-default realm's KDC. > But given that I get a new context each time, why can't I reset the > value of KRB5_CONFIG on each call and have it be honored? This is > the crux of the matter, apparently. If you don't mind digging into the krb5 library code, change lib/krb5/ os/init_os_ctx.c:os_get_default_config_files or set a breakpoint in gdb, and examine the result of calling getenv. Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
