On Tue, Jul 29, 2008 at 12:26:17PM -0700, Russ Allbery wrote: > I believe this was to support server-side referrals. The idea is that the > client will ask the server for a principal with an empty realm and the > server will figure out the realm. *nod* As it stands, without a matching domain_realm entry, the realm remains empty.
This broke our setup between CentOS 4 (Kerberos 1.5) and CentOS 5 (Kerberos 1.6.1) , where ssh'in into a box fails with `Wrong principal in request'. Adding some debugging from 1.6.3 reveals that the offered principal is `host/[EMAIL PROTECTED]' whereas the expected principal (returned from krb5_sname_to_principal()) is `host/fqdn@'. > I don't know exactly how this works, though. Neither do I. -- Jos Backus jos at catnook.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos