On 2012-10-27 03:41, Russ Allbery wrote: > When you do a klist after you run wallet, what principal shows up in your > local ticket cache? It's not the same principal as is in /etc/krb5.keytab > on the remote system. > > Usually this means that there's something wrong with your DNS resolution. > Something isn't matching somewhere.
Thank you for the hint, I now get it (and should have know it)! This confusion is the result of our running two auth servers in an active/passive cluster setup: auth01.example.com and auth02.example.com with a floating/virtual IP address that resolves from/to the service address auth.example.com. This way all services on the network can simply use auth.example.com as the single point of contact and we can run OpenLDAP, Kerberos and saslauthd (for LDAP authentication pass-through to Kerberos) more highly available. In my original post I tried to abstract those seemingly unnecessary details but that did not do much good. For saslauthd to work there must be a host-specific principal in /etc/krb5.keytab, i.e. host/auth01.example.com or host/auth02.example.com, but for wallet/remctld to work there needs to be one for the service address as well, i.e. host/auth.example.com. The latter is what was missing, so I added it to /etc/krb5.keytab on each of the two auth servers and now those simple wallet tests seem to work as expected. But do I have to fear any negative consequences after adding more than one host principal to /etc/krb5.keytab? Will this break anything? Is it even "legal" to do? Thanks again, Andreas
signature.asc
Description: OpenPGP digital signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
