>I am a bit surprised that the cnames in the krb5.conf file were the >problem. I would like to use a common krb5.conf file everywhere >deployed by our configuration management processes. I guess one what >would be to create principals for the cnames. Seems a bit unclean. Or >just have a unique krb5.conf for kdc systems.
I can only say that we have the same krb5.conf file everywhere, and ... I'm confused what you are talking about when it comes to canonicalization issues for your admin principal and your krb5.conf! I admit, hostname canonicalization with Kerberos has always been a bit ... challenging. The exact behavior can depend on the version of Kerberos you are using and krb5.conf configuration entries. Drives me nuts at times. I'd ALSO check to make sure it works correctly at reboot; like I explained earlier, that tripped me up. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
