On Fri, Jan 25, 2002 at 01:16:00PM -0600, Douglas E. Engert wrote: > > >> After thinking about it a bit, it seems I may just create cross-realm keys > > >> for FOO.TWO.NET<->ONE.NET, as this maps better onto the real-world trust > > >> relationships.
> That would work, but does not solve the N**2 key problem which transitive turst > was deigned to solve. > > Then that is what you should do. > It still looks like a bug to me. Steve, is the FOO.TWO.NET realm listed in > the ONE.NET krb5.conf file used by the KDC? Can the ONE.NET KDC use DNS to > find it? It could be it is failing as it does not recognize the realm name. KDCs for all realms are published with DNS. If I create cross-realm keys between any two realms, I'm able to acquire service tickets without any problems. It's only the two-hop scenario that trips me up. > Did this work with krb5-1.2.2 or earlier? 1.2.3 is the first version that I've personally tried this with. Steve Langasek postmodern programmer