Weird cross-realm behaviour after upgrade to Heimdal 7.3
jaltman at secure-endpoints.com
Fri Jul 7 21:01:48 CEST 2017
On 7/4/2017 3:05 AM, Andreas Haupt wrote:
> ... and on the KDC side:
> Jul 4 08:33:46 kdc-7.3 kdc: TGS-REQ <myaccount>@MYREALM from IPv4:<MY-IP> for krbtgt/CERN.CH at MYREALM [renewable, forwardable]
> Jul 4 08:33:46 kdc-7.3 kdc: Server not found in database: krbtgt/CERN.CH at MYREALM: Success
I would like to see more of the log entries that follow as well as a
packet capture. There is not enough detail here to say what is going on.
> This answer seems to make the client think the KDC is somehow malfunctioning
> and repeats the request with any KDC combination (all KDCs it finds in
> /etc/krb5.conf on ports 88 and 750 here). Of course, it causes long timeouts
> before the ssh client gives up and asks for a password.
> Any idea to restore the old "Heimdal-1.2-style" behaviour? Is this
> considered a bug or misconfiguration?
I can't tell you since I don't have enough information.
What is MYREALM?
What is the client?
What is the configuration of the client?
What is the configuration of the KDC?
My guess is the difference in behavior is related to Kerberos Referrals
and/or implicit hierarchical capaths both of which are not present in 1.2.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4081 bytes
Desc: S/MIME Cryptographic Signature
More information about the Heimdal-discuss