On Mon, Oct 11, 2010 at 02:12:24PM -0400, Greg Hudson wrote:
No, it's not the domain heuristic, which is off by default anyway; it's
the next step after the domain heuristic, which is to use the parent
domain (uppercased) without trying to decide whether it's a real realm
or not.
So you'd
On Tue, 2010-10-12 at 04:36 -0400, Brian Candler wrote:
On Mon, Oct 11, 2010 at 02:12:24PM -0400, Greg Hudson wrote:
No, it's not the domain heuristic, which is off by default anyway; it's
the next step after the domain heuristic, which is to use the parent
domain (uppercased) without
On Mon, Oct 04, 2010 at 12:57:17PM -0400, Greg Hudson wrote:
Yes. The precedence order of domain-relam mappings is:
1. krb5.conf domain_realms
2. KDC referrals
3. DNS TXT lookups, if turned on
4. The domain heuristic, if turned on
5. The upper-cased parent realm of the hostname
Brian Candler b.cand...@pobox.com wrote:
The error message from /var/log/http/ssl_error_log was unhelpful:
[Mon Oct 11 11:20:17 2010] [error] [client 172.31.131.185]
krb5_verify_init_creds() failed: Key table entry not found
What was even more odd, if I did a 'su' to the apache user, I was
On Mon, Oct 11, 2010 at 08:54:50AM -0500, Christopher D. Clausen wrote:
What was even more odd, if I did a 'su' to the apache user, I was able to
'kinit' using one of the usernames/passwords which apache was rejecting as
Basic Auth credentials. Surely mod_auth_kerb should be doing the same??
On Mon, Oct 04, 2010 at 10:11:37PM +0100, Brian Candler wrote:
Which brings me to an aside: does this mean that all communication is
initiated by the client to each KDC, except for the final server to its KDC?
There's no KDC to KDC traffic? I'm particularly interested whether I can
make the
On Mon, 2010-10-11 at 10:22 -0400, Brian Candler wrote:
- mod_auth_kerb tries to find realm for rails.api.example.com
(the virtual server hostname), via DNS lookups
- mod_auth_kerb fails to find one
- mod_auth_kerb looks for something duff like HTTP/rails.api.example.com@
in its keytab,
On Mon, Oct 11, 2010 at 12:54:57PM -0400, Greg Hudson wrote:
On Mon, 2010-10-11 at 10:22 -0400, Brian Candler wrote:
- mod_auth_kerb tries to find realm for rails.api.example.com
(the virtual server hostname), via DNS lookups
- mod_auth_kerb fails to find one
- mod_auth_kerb looks for
On Mon, 2010-10-11 at 13:16 -0400, Brian Candler wrote:
Is that the domain heuristic? This machine has (RedHat's version of)
Kerberos 1.3.4, and I thought you said that capability was only introduced
recently.
No, it's not the domain heuristic, which is off by default anyway; it's
the next
In the admin guide at
http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Mapping-Hostnames-onto-Kerberos-Realms
it says:
The second mechanism [for mapping hostnames onto Kerberos realms] works by
looking up the information in special TXT records in the Domain Name
Service. This
On Mon, 2010-10-04 at 07:01 -0400, Brian Candler wrote:
(1) What DNS lookups are made by the workstation and/or the server when a
connection takes place?
pc.foo.example.com looks up a TXT record for
_kerberos.server.bar.example.com.
(2) Could any of the DNS responses take precedence over the
On Mon, 2010-10-04 at 12:57 -0400, Greg Hudson wrote:
4. The domain heuristic, if turned on
I should have noted that the domain heuristic was added in MIT krb5 1.7,
which may be newer than the version on your client hosts.
Kerberos mailing
On Mon, Oct 04, 2010 at 12:57:17PM -0400, Greg Hudson wrote:
On Mon, 2010-10-04 at 07:01 -0400, Brian Candler wrote:
(1) What DNS lookups are made by the workstation and/or the server when a
connection takes place?
pc.foo.example.com looks up a TXT record for
On 10/4/2010 5:11 PM, Brian Candler wrote:
On Mon, Oct 04, 2010 at 12:57:17PM -0400, Greg Hudson wrote:
On Mon, 2010-10-04 at 07:01 -0400, Brian Candler wrote:
(1) What DNS lookups are made by the workstation and/or the server when a
connection takes place?
pc.foo.example.com looks up a TXT
14 matches
Mail list logo