I can confirm two bugs that you have encountered and worked around: 1. kprop uses krb5_sname_to_principal() to determine its client principal, and does not understand the referral realm. So it does not work without a -r parameter unless the profile's domain_realm section can map the local hostname. You worked around this by correcting your existing domain_realm section in your profile.
A reasonable, if not perfect, fix here is to do what kpropd does in a similiar piece of code: substitute the default realm for the referral realm when using the result of krb5_sname_to_principal() as a client principal. 2. kpropd, when processing incremental updates, modifies the KDB using ulog_replay(), but does not initialize its context to use the KDC profile, so it uses only settings from krb5.conf to find the KDB. You worked around this with symlinks. An alternative workaround would be to put the KDB configuration into krb5.conf instead of kdc.conf. (In the past, it used to be required to put KDB configuration into krb5.conf. That odd requirement was relaxed somewhere around krb5 1.5 for most programs which run on the KDC, but a few have escaped the net, including kpropd.) I will open issues for both bugs and try to get them fixed for 1.9. Thanks for your investigative work. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
