On Tuesday, May 09, 2006 03:49:35 PM -0400 Gwen Parker <[EMAIL PROTECTED]> wrote:
> [libdefaults] > default_realm = dcri.duke.net > > > [realms] > dcri.duke.net = { ># kdc = vmsodium.dcri.duke.net > kdc = 10.0.101.65 > } Kerberos realm names are case-sensitive. "dcri.duke.net" and "DCRI.DUKE.NET" are not the same realm name. The problem here is that you are trying to get tickets for [EMAIL PROTECTED], and since there is no entry in your krb5.conf for that realm, the library tries to use the DNS to find a KDC for that realm. You haven't indicated what Kerberos you're using or how new it is, but the most likely scenario is that it's looking for SRV records for _kerberos._tcp.dcri.duke.net and/or _kerberos._udp.dcri.duke.net, possibly followed by falling back to the traditional KDC hostname of kerberos.dcri.duke.net. If it can't find any of these, it fails. The solution is to fix your krb5.conf to use the correct, uppercase realm name. > [domain_realms] > .kerberos.server = dcri.duke.net I don't think this does what you think. The line above says that any host whose name ends in .kerberos.server belongs to the dcri.duke.net domain. Unless you have hosts whose names end in .kerberos.server, which seems rather unlikely, this line is doing nothing useful for you. Assuming that things in both dcri.duke.edu and dcri.duke.net belong to the DCRI.DUKE.NET realm, you want lines like these: .dcri.duke.edu = DCRI.DUKE.NET .dcri.duke.net = DCRI.DUKE.NET dcri.duke.edu = DCRI.DUKE.NET dcri.duke.net = DCRI.DUKE.NET (the last two lines handle the two machines whose names _are_ dcri.duke.edu and dcri.duke.net, rather than being below those domains. If no such machines exist, you don't need those lines). -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos