On Thu, Jul 07, 2005 at 05:30:07PM -0700, Phil Dibowitz wrote: > On Thu, Jul 07, 2005 at 02:22:59PM -0700, Phil Dibowitz wrote: > > On Wed, Jul 06, 2005 at 07:21:17PM -0400, Kevin Coffman wrote: > > > My guess is that your krbtgt/[EMAIL PROTECTED] principal still > > > only has a des key. 'cpw -randkey -keepold' on that principal to > > > generate other keys. > > > > Nice. That works. I didn't realize that had to be updated. Which leaves me > > with a few more questions: > > > > 1. What's the difference between the principals [EMAIL PROTECTED] and > > krbtgt/[EMAIL PROTECTED] ? They both exist, but krbtgt/ISD.USC.EDU seems > > to be the ACTUAL ticket granting principal, while [EMAIL PROTECTED] has the > > DISALLOW_ALL_TIX attribute. > > OK, so going back, I find that > > krbtgt/[EMAIL PROTECTED] is for crossrealm trust. > [EMAIL PROTECTED] was our original tgt.
Oh, I typoed. Which made me realize there's another issue. The cross-realm princ is: krbtgt/[EMAIL PROTECTED] and the right tgt (based on Kerberos by Brian Tung), doesn't seem to be doing anything: [EMAIL PROTECTED] and the mystery ticket is doing everything: krbtgt/[EMAIL PROTECTED] Now I'm quite confused. Any thoughts would be appreciated. -- Phil Dibowitz Systems Architect and Administrator Enterprise Infrastructure / ISD / USC UCC 180 - 213-821-5427
pgpQp8GZjrixM.pgp
Description: PGP signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos