Weird cross-realm behaviour after upgrade to Heimdal 7.3

Jeffrey Altman jaltman at
Fri Jul 7 21:01:48 CEST 2017

On 7/4/2017 3:05 AM, Andreas Haupt wrote:

> ... and on the KDC side:
> Jul  4 08:33:46 kdc-7.3 kdc[12045]: TGS-REQ <myaccount>@MYREALM from IPv4:<MY-IP> for krbtgt/CERN.CH at MYREALM [renewable, forwardable]
> Jul  4 08:33:46 kdc-7.3 kdc[12045]: Server not found in database: krbtgt/CERN.CH at MYREALM: Success

I would like to see more of the log entries that follow as well as a
packet capture.  There is not enough detail here to say what is going on.

> This answer seems to make the client think the KDC is somehow malfunctioning
> and repeats the request with any KDC combination (all KDCs it finds in
> /etc/krb5.conf on ports 88 and 750 here). Of course, it causes long timeouts
> before the ssh client gives up and asks for a password.
> Any idea to restore the old "Heimdal-1.2-style" behaviour? Is this
> considered a bug or misconfiguration?

I can't tell you since I don't have enough information.

What is MYREALM?

What is the client?

What is the configuration of the client?

What is the configuration of the KDC?

My guess is the difference in behavior is related to Kerberos Referrals
and/or implicit hierarchical  capaths both of which are not present in 1.2.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4081 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Heimdal-discuss mailing list