[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tickets without realm?



Hi,

For some reason everybody in the realm here always end up with two tickets for 
each service they connect to, once with the realm in the principal and once without. 
For example:

Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: jelmer@VERNSTOK.NL

  Issued           Expires          Principal
Jan 27 23:49:44  Jan 28 09:49:42  krbtgt/VERNSTOK.NL@VERNSTOK.NL
Jan 27 23:49:47  Jan 28 09:49:42  host/gwenhwyvar.vernstok.nl@
Jan 27 23:49:47  Jan 28 09:49:42  host/gwenhwyvar.vernstok.nl@VERNSTOK.NL

or, klist -v:

Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: jelmer@VERNSTOK.NL
    Cache version: 4

Server: krbtgt/VERNSTOK.NL@VERNSTOK.NL
Client: jelmer@VERNSTOK.NL
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 257
Auth time:  Jan 27 23:49:44 2008
End time:   Jan 28 09:49:42 2008
Ticket flags: initial
Addresses: addressless

Server: host/gwenhwyvar.vernstok.nl@
Client: jelmer@VERNSTOK.NL
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 287
Auth time:  Jan 27 23:49:44 2008
Start time: Jan 27 23:49:47 2008
End time:   Jan 28 09:49:42 2008
Ticket flags: transited-policy-checked
Addresses: addressless

Server: host/gwenhwyvar.vernstok.nl@VERNSTOK.NL
Client: jelmer@VERNSTOK.NL
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 287
Auth time:  Jan 27 23:49:44 2008
Start time: Jan 27 23:49:47 2008
End time:   Jan 28 09:49:42 2008
Ticket flags: transited-policy-checked
Addresses: addressless

I'm using heimdal both as KDC and client. The version of Heimdal on the KDC is
0.7.2.

Here is the krb5.conf that is used on both the kdc and the clients:

[libdefaults]
#    default_cc_name = KCM:%{uid}
	dns_lookup_realm = true
	dns_lookup_kdc = true

[login]
	krb4_convert = false
	krb4_get_tickets = false

(this is also fails if I set default_realm=VERNSTOK.NL)

Strangely enough, I can only find one ticket request for host/gwenhwyvar.vernstok.nl 
in the KDC logs, and that does include the realm name.  What could be going wrong here?

Cheers,

Jelmer