On Mon, Oct 04, 2010 at 12:57:17PM -0400, Greg Hudson wrote:
Yes. The precedence order of domain-relam mappings is:
1. krb5.conf domain_realms
2. KDC referrals
3. DNS TXT lookups, if turned on
4. The domain heuristic, if turned on
5. The upper-cased parent realm of the hostname
Brian Candler b.cand...@pobox.com wrote:
The error message from /var/log/http/ssl_error_log was unhelpful:
[Mon Oct 11 11:20:17 2010] [error] [client 172.31.131.185]
krb5_verify_init_creds() failed: Key table entry not found
What was even more odd, if I did a 'su' to the apache user, I was
On Mon, Oct 11, 2010 at 08:54:50AM -0500, Christopher D. Clausen wrote:
What was even more odd, if I did a 'su' to the apache user, I was able to
'kinit' using one of the usernames/passwords which apache was rejecting as
Basic Auth credentials. Surely mod_auth_kerb should be doing the same??
On Mon, Oct 04, 2010 at 10:11:37PM +0100, Brian Candler wrote:
Which brings me to an aside: does this mean that all communication is
initiated by the client to each KDC, except for the final server to its KDC?
There's no KDC to KDC traffic? I'm particularly interested whether I can
make the
On Mon, 2010-10-11 at 10:22 -0400, Brian Candler wrote:
- mod_auth_kerb tries to find realm for rails.api.example.com
(the virtual server hostname), via DNS lookups
- mod_auth_kerb fails to find one
- mod_auth_kerb looks for something duff like HTTP/rails.api.example.com@
in its keytab,
On Mon, Oct 11, 2010 at 12:54:57PM -0400, Greg Hudson wrote:
On Mon, 2010-10-11 at 10:22 -0400, Brian Candler wrote:
- mod_auth_kerb tries to find realm for rails.api.example.com
(the virtual server hostname), via DNS lookups
- mod_auth_kerb fails to find one
- mod_auth_kerb looks for
On Mon, 2010-10-11 at 13:16 -0400, Brian Candler wrote:
Is that the domain heuristic? This machine has (RedHat's version of)
Kerberos 1.3.4, and I thought you said that capability was only introduced
recently.
No, it's not the domain heuristic, which is off by default anyway; it's
the next
Hi Dominic,
Thanks for your feedback. You make a good point about reporting a bug. Though
my memory is that the Kerberos team knew about them all..
The second issue is as designed, and given that kprop is so efficient, isn't as
bad as I first thought when I read about it. Of course your
On Oct 10, 2010, at 19:46, Jeremy Hunt wrote:
Hi Dominic,
Thanks for your feedback. You make a good point about reporting a bug. Though
my memory is that the Kerberos team knew about them all..
The second issue is as designed, and given that kprop is so efficient, isn't
as bad as I
Hi Ken, Dominic et al,
Sorry about using the term second issue twice. I will clarify all points as
Ken raised them
Issue1: profile changes do not appear to be logged and propagated via iprop.
I am sorry, I meant policy not profile. Probably because I meant a user
profile, where a user is
10 matches
Mail list logo