Hi Russ,
Russ Allbery wrote:
<snip>
> This error message means that the host keytab (/etc/krb5.keytab) doesn't
> contain the key that ksu expects to use to verify your credentials. My
> (fairly wild) guess is that the problem is related to referral support,
> just because I know that's one of the things that's changed in the current
> version of Kerberos. If so, it may indicate that you don't have a
> domain_realm mapping set up for your local hostname.
>
Bingo! Yes, I added the lines marked with ***
[realms]
DIONIC.NET = {
kdc = kdc1.dionic.net.
admin_server = kerberos.dionic.net.
default_domain = dionic.net *** 1
}
[domain_realm] *** 2
.dionic.net = DIONIC.NET *** 3
dionic.net = DIONIC.NET *** 4
In fact, line *** 3 is the key in this case, the others are for
completeness.
You know the silly thing - the boxes I commercially admin'd have those
entries - I built the realm above much later, and I suspect I got rid of
them because they "seemed not to matter" or I assumed they were inferred
(but that makes me an idiot because MIT have stated that using
DIONIC.NET mapping to dionic.net is a recommended convention; they never
stated kerberos was coded to assume that). So 1.6 did catch up with a
broken config, so it was case 3)...
Ever so sorry to have troubled you - I feel like a dork now.
Please close the bug as mistaken. But thanks for your kind assistance,
Russ - I would not ever have figured this out.
Cheers
Tim
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
