From owner-freebsd-hackers@FreeBSD.ORG Wed Aug 30 14:03:47 2006 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A97DF16A4DD for ; Wed, 30 Aug 2006 14:03:47 +0000 (UTC) (envelope-from Hartmut.Brandt@dlr.de) Received: from smtp-3.dlr.de (smtp-3.dlr.de [195.37.61.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31B5443D79 for ; Wed, 30 Aug 2006 14:03:42 +0000 (GMT) (envelope-from Hartmut.Brandt@dlr.de) Received: from beagle.kn.op.dlr.de ([129.247.173.6]) by smtp-3.dlr.de over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Aug 2006 16:03:40 +0200 Date: Wed, 30 Aug 2006 16:03:40 +0200 (CEST) From: Harti Brandt X-X-Sender: brandt_h@beagle.kn.op.dlr.de To: hackers@freebsd.org Message-ID: <20060830155708.J37315@beagle.kn.op.dlr.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 30 Aug 2006 14:03:41.0018 (UTC) FILETIME=[18F15BA0:01C6CC3D] Cc: Subject: pam_krb5 problems X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Harti Brandt List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 14:03:47 -0000 Hi all, has anyone successfully configured pam_krb5? It seems that the ticket verification that is in the code does not work as intended: I have a host key in my keytab, but reading it for verification fails, because pam_krb5 constructs the principal name host/opkndn_beagle@INTRA.DLR.DE while the keytab contains just opkndn_beagle@INTRA.DLR.DE. When I try to add the host/... principal to the keytab, kinit -k doesn't work anymore. Another problem is finding the realm for the host. I have to explicitely add the mapping for the host to the realm to krb5.conf. I have a _kerberos TXT record in DNS, but the library fails to DNS-search for _kerberos or _kerberos.kn.op.dlr.de, but searches for _kerberos.opkndn_beagle.. (note the '.' at the end) which seem just wrong. What do I wrong here? harti