On Tue, Dec 07, 2004 at 05:57:47PM -0500, Chaskiel M Grundman wrote: > you ought to be able to tell if the client is sending a second request by > using tcpdump or ethereal to capture packets from the network while the > client is attempting to authenticate. (tcpdump does not have much of a krb5 > packet dissector, but you can capture packets on the kdc with tcpdump -w, > and copy the file to another system to run ethereal)
This is absolutely the right thing to do, thank you; I hope to have a chance to try that today and see what happens. > The two features are not related. It's possible that the operation of > disabling preauth somehow is dissociating the principals from the policy > object they were using before. make sure that the user's principal (or > relevant policy) and the krbtgt principal (or relevant policy) does not > have DISALLOW_FORWARDABLE set on it. Turning off preauth for the krbtgt/REALM principal makes forwarding work without preauthentication (thanks, Sam!). I'll let the list know what happens with the Cisco box in case anyone runs into the same problem in the future. Thanks, all! -r.
signature.asc
Description: Digital signature
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
