Re: kerberos - incorrect net address
My previous message was probably a bit dense, so I'll try my best to get right to the point. kerberos kinit was failing, giving me the error incorrect net address The kdc.log file indicated that the request was coming from ::1 (the IPv6 loopback, is that right?) After much looking, I found that I could get it to succeed with just one change: I changed my /etc/hosts file, so it read only: 10.0.1.202 auth.my.realm auth ::1 auth.my.realm auth (so that 10.0.1.202 was first, instead of ::1) kinit then succeeded My questions are: It works, but I'm betting it's not the 'right thing to do' so, what is? Where else should I look? I'm trying to understand how kinit came up with ::1, so that maybe I can figure out the 'right way to fix it' (I'm not a developer, but) I'm guessing since kinit needs to get a default IP address, it first gets a hostname (maybe gethostbyname() or something like it) and then does some sort of lookup from hostname to address (maybe res_query() or something like it) I'm guessing that the hostname to address is the problem, would this explain why changing /etc/hosts worked? Thanks
Re: kerberos - incorrect net address
On Tue, 03 Jul 2007 03:39:51 + Douglas Maus [EMAIL PROTECTED] wrote: Could someone help me understand IP addresses, DNS, and Kerberos on OpenBSD? I was getting incorrect net address when trying to kinit, and I found that switching 2 lines in /etc/hosts putting first 10.0.1.201 auth.my.realm auth before ::1 auth.my.realm auth fixed this, but I don't understand this and I suspect this means I'm doing something else wrong. When kinit asks for a ticket i encodes the hosts address in the request. The KDC then compares the encoded address with the address in the IP-header and if they don't match you'll get this error. I started the kdc: # /usr/libexec/kdc but when I tried # kinit admin or # kinit admin --no-address I got incorrect net address Options goes before the pricipal, i.e. # kinit --no-addresses admin There are some configuration options that affects this as well; search krb5.conf(5) -- Bjvrn Sandell Chalmers University of Technology IT Services www.chalmers.se/its +46 (0)31 772 1000 No one ever says, 'I can't read that ASCII E-mail you sent me.'