From owner-freebsd-hackers@FreeBSD.ORG  Wed Aug 30 14:03:47 2006
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: hackers@freebsd.org
Delivered-To: freebsd-hackers@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A97DF16A4DD
	for <hackers@freebsd.org>; Wed, 30 Aug 2006 14:03:47 +0000 (UTC)
	(envelope-from Hartmut.Brandt@dlr.de)
Received: from smtp-3.dlr.de (smtp-3.dlr.de [195.37.61.187])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 31B5443D79
	for <hackers@freebsd.org>; Wed, 30 Aug 2006 14:03:42 +0000 (GMT)
	(envelope-from Hartmut.Brandt@dlr.de)
Received: from beagle.kn.op.dlr.de ([129.247.173.6]) by smtp-3.dlr.de over TLS
	secured channel with Microsoft SMTPSVC(6.0.3790.1830); 
	Wed, 30 Aug 2006 16:03:40 +0200
Date: Wed, 30 Aug 2006 16:03:40 +0200 (CEST)
From: Harti Brandt <hartmut.brandt@dlr.de>
X-X-Sender: brandt_h@beagle.kn.op.dlr.de
To: hackers@freebsd.org
Message-ID: <20060830155708.J37315@beagle.kn.op.dlr.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-OriginalArrivalTime: 30 Aug 2006 14:03:41.0018 (UTC)
	FILETIME=[18F15BA0:01C6CC3D]
Cc: 
Subject: pam_krb5 problems
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Harti Brandt <harti@freebsd.org>
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Aug 2006 14:03:47 -0000


Hi all,

has anyone successfully configured pam_krb5? It seems that the ticket 
verification that is in the code does not work as intended: I have a host 
key in my keytab, but reading it for verification fails, because pam_krb5 
constructs the principal name host/opkndn_beagle@INTRA.DLR.DE while the 
keytab contains just opkndn_beagle@INTRA.DLR.DE. When I try to add the 
host/... principal to the keytab, kinit -k doesn't work anymore.

Another problem is finding the realm for the host. I have to explicitely 
add the mapping for the host to the realm to krb5.conf. I have a _kerberos 
TXT record in DNS, but the library fails to DNS-search for _kerberos or 
_kerberos.kn.op.dlr.de, but searches for _kerberos.opkndn_beagle.. (note
the '.' at the end) which seem just wrong.

What do I wrong here?

harti