>Which is interesting as the same key (well, the same enc/salt type "created" >with the same password) was present -- only key on the realmA kdc and the 3rd >of three listed via a getprinc on the realmB kdc.
When you're dealing with KEYS, remember that the salt type is NOT communicated when you're doing TGS_REQs (it's only negotiated as part of an AS_REQ ... when kinit happens). If you had, for example, three single-DES salt types, they're considered the same as far as the KDC is concerned for service principals (even though they are NOT the same key). Realm B's KDC would simply pick the first ENCTYPE that matched the enctype in the ticket from realm A. If they have a dissimilar salt, then they keys won't match. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
