Hi Glenn, Greg, Thanks for your input.
I’ve now done some debugging with Wireshark and found what I believe to be the smoking gun: So it looks like the client is sending oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com as the SnameString (presumably the SPN), when it should be sending: d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com I’ve updated the ticket with the details: http://stackoverflow.com/questions/43685086 So question is, how do I persuade the JVM built-in kerberos client to change the way it looks up server hosts? Or is there genuinely a DNS change required? Bear in mind I have the following /etc/hosts entry: 10.252.134.51 d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com Thanks, Matt On 12 May 2017 at 16:40, Greg Hudson <ghud...@mit.edu> wrote: > On 05/12/2017 11:28 AM, Matt Darwin wrote: > > I’ve written a detailed description of the problem on stack overflow : > http://stackoverflow.com/questions/43685086/ > > I read this, and I don't see in there the server principal name in the > TGS request on macOS and on Linux. You might be able to obtain that > with wireshark or similar if you can't get it out of the JVM. That > information, together with knowledge of your DNS configuration, might > provide a hint as to what's going on. > > Note that the JVM has its own Kerberos implementation, which is separate > from MIT krb5, Heimdal, or the macOS fork of Heimdal. (I believe it's > possible to use a shim to force it to call out to the C library, but > from the stack trace it doesn't appear that you're doing that.) So the > output you're getting from krb5-config --version is irrelevant, as is > using brew to install a newer C library. > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
