[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Compatibility problem?

To: heimdal-discuss@sics.se, alexander.behrend@arcor.de
Subject: Re: Compatibility problem?
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Tue, 29 Apr 2008 09:47:16 -0500
In-Reply-To: <sympa.1209464641.12979.639@sics.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <sympa.1209464641.12979.639@sics.se>
Reply-To: heimdal-discuss@sics.se, "Douglas E. Engert" <deengert@anl.gov>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)



alexander.behrend@arcor.de wrote:
> I have found another possible reason. Earlier I had an entry not found in the
> database error. I fixed it by adding the missing entry.
> 
> krbtgt/SINGLESIGNON.EXAMPLE.COM@SINGLESIGNON.EXAMPLE.COM and
> krbtgt/EXAMPLE.COM@SINGLESIGNON.EXAMPLE.COM

You would only use the second entry if you are doing cross-realm.

So you problem maybe the client is assuming the service is not
in the realm of SINGLESIGNON.EXAMPLE.COM and is trying
to walk the realm tree be going up one level to EXAMPLE.COM

You said the client was Vista using PuTTY and WinSCP?

Look to see if the PuTTY Configuration->Auth has a "Server realm (SSPI):"
box. If so, enter the realm in there. It could be PuTTY is using SSPI.

If the PuTTY is using GSSAPI from KfW look at your krb5.conf
[domain_realm] section.


> 
> The logs "krb5kdc.log" told me that he is using both ticket entries. So I
> deleted the second entry to force the use of only the first one krbtgt entry. 
> 
> Now he shows me "Server not found in Kerberos database" (GSSAPI)
> and krbtgt/EXAMPLE.COM@SINGLESIGNON.EXAMPLE.COM: No such entry in the database
> (krb5kdc.log)
> 
> because i deleted this entry...
> 
> Where is the use of the second entry forced? Can I switch it or is it a common
> behavior?
> 
> Alexander
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

References:
- Re: Re: Compatibility problem?
  - From: <alexander.behrend@arcor.de>

Prev by Date: Re: Compatibility problem?
Next by Date: Re: Re: Compatibility problem?
Prev by thread: Re: Compatibility problem?
Next by thread: Re: Re: Compatibility problem?
Index(es):
- Date
- Thread