[EMAIL PROTECTED] (Steve Langasek) writes: >> It would be nice to not have to configure an explicit capath, of course. >> >> Still, I gather from your comments that after configuring the shared keys >> this should Just Work. Since it did not, I'm lead to the same conclusion >> that there's a bug at play here.
I think Doug may have misled you here, because this should require configuration. Consider this case: CUSTOMER.ISP.NET -> ISP.NET -> BANK.NET [EMAIL PROTECTED] wants to authenticate to [EMAIL PROTECTED] If BANK.NET permitted this to "Just Work", then the ISP could claim to be me without my consent, because the ISP.NET kdc can issue a [EMAIL PROTECTED] in my name. But you don't want this, because there may not be a real trust relationship there. So, transitive trust relationships need to be configured. IMHO, the default capath through the root is also a bad idea, but since there has never been a gTLD kerberos realm that I am aware of, and there is unlikely to be one, it's a moot point in practice. >> After thinking about it a bit, it seems I may just create cross-realm keys >> for FOO.TWO.NET<->ONE.NET, as this maps better onto the real-world trust >> relationships. Then that is what you should do. Marc