On Thu, Jul 04, 2013 at 10:26:33AM +0200, Petter Reinholdtsen wrote:
> [Guido Günther]
> > Could you check how the Heimdal kinit behaves? I'd like to know if it
> > behaves the same as krb5-auth-dialog (I assume so). You can set:
> >
> > # Debug logging
> > [logging]
> > krb5=STDERR
> >
> > for more detailed debugging.
>
> Not easily. Not quite sure how to replace that on a diskless
> workstation without messing up the setup completely.
That's sad since it will make debugging much harder.
>
> > What does "hostname --fqdn" show?
>
> It report only the short name without a domain part, ie 'ltsp4115'.
>
> > Can you attached your krb5.conf?
>
> Attached. It is the default from the package, as SRV records are used
> to find the Kerberos server. So the hostname isn't the important part
> here, as the DNS domain to use is in /etc/resolv.conf instead.
I'm not sure I'm following here. If you don't have a domain name fro
from which domains SRV records would you expect the client to retrieve
it's realm?
Can you show how MIT resolves the REALM and then the KDC in your case?
Cheers,
-- Guido
>
> --
> Happy hacking
> Petter Reinholdtsen
> [libdefaults]
> dns_lookup_realm = true
> dns_lookup_kdc = true
> # default_realm = INTERN
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> # The following encryption type specification will be used by MIT Kerberos
> # if uncommented. In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability problems.
> #
> # Thie only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about (such as
> # old versions of Sun Java).
>
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> ATHENA.MIT.EDU = {
> kdc = kerberos.mit.edu:88
> kdc = kerberos-1.mit.edu:88
> kdc = kerberos-2.mit.edu:88
> admin_server = kerberos.mit.edu
> default_domain = mit.edu
> }
> MEDIA-LAB.MIT.EDU = {
> kdc = kerberos.media.mit.edu
> admin_server = kerberos.media.mit.edu
> }
> ZONE.MIT.EDU = {
> kdc = casio.mit.edu
> kdc = seiko.mit.edu
> admin_server = casio.mit.edu
> }
> MOOF.MIT.EDU = {
> kdc = three-headed-dogcow.mit.edu:88
> kdc = three-headed-dogcow-1.mit.edu:88
> admin_server = three-headed-dogcow.mit.edu
> }
> CSAIL.MIT.EDU = {
> kdc = kerberos-1.csail.mit.edu
> kdc = kerberos-2.csail.mit.edu
> admin_server = kerberos.csail.mit.edu
> default_domain = csail.mit.edu
> krb524_server = krb524.csail.mit.edu
> }
> IHTFP.ORG = {
> kdc = kerberos.ihtfp.org
> admin_server = kerberos.ihtfp.org
> }
> GNU.ORG = {
> kdc = kerberos.gnu.org
> kdc = kerberos-2.gnu.org
> kdc = kerberos-3.gnu.org
> admin_server = kerberos.gnu.org
> }
> 1TS.ORG = {
> kdc = kerberos.1ts.org
> admin_server = kerberos.1ts.org
> }
> GRATUITOUS.ORG = {
> kdc = kerberos.gratuitous.org
> admin_server = kerberos.gratuitous.org
> }
> DOOMCOM.ORG = {
> kdc = kerberos.doomcom.org
> admin_server = kerberos.doomcom.org
> }
> ANDREW.CMU.EDU = {
> kdc = kerberos.andrew.cmu.edu
> kdc = kerberos2.andrew.cmu.edu
> kdc = kerberos3.andrew.cmu.edu
> admin_server = kerberos.andrew.cmu.edu
> default_domain = andrew.cmu.edu
> }
> CS.CMU.EDU = {
> kdc = kerberos.cs.cmu.edu
> kdc = kerberos-2.srv.cs.cmu.edu
> admin_server = kerberos.cs.cmu.edu
> }
> DEMENTIA.ORG = {
> kdc = kerberos.dementix.org
> kdc = kerberos2.dementix.org
> admin_server = kerberos.dementix.org
> }
> stanford.edu = {
> kdc = krb5auth1.stanford.edu
> kdc = krb5auth2.stanford.edu
> kdc = krb5auth3.stanford.edu
> master_kdc = krb5auth1.stanford.edu
> admin_server = krb5-admin.stanford.edu
> default_domain = stanford.edu
> }
> UTORONTO.CA = {
> kdc = kerberos1.utoronto.ca
> kdc = kerberos2.utoronto.ca
> kdc = kerberos3.utoronto.ca
> admin_server = kerberos1.utoronto.ca
> default_domain = utoronto.ca
> }
>
> [domain_realm]
> .mit.edu = ATHENA.MIT.EDU
> mit.edu = ATHENA.MIT.EDU
> .media.mit.edu = MEDIA-LAB.MIT.EDU
> media.mit.edu = MEDIA-LAB.MIT.EDU
> .csail.mit.edu = CSAIL.MIT.EDU
> csail.mit.edu = CSAIL.MIT.EDU
> .whoi.edu = ATHENA.MIT.EDU
> whoi.edu = ATHENA.MIT.EDU
> .stanford.edu = stanford.edu
> .slac.stanford.edu = SLAC.STANFORD.EDU
> .toronto.edu = UTORONTO.CA
> .utoronto.ca = UTORONTO.CA
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
