Ok, sorry for the noise, it seems to be related to really old distro
packages in fact
On recently-ish release it work as expected
On 07/11/2019 10:55, Benoit PLESSIS wrote:
> Hi guys,
>
> I'm having some unexpected difficulties with ksu in a multi-realm
> environment.
>
> With user1@REALM1 and server.domain@REALM1 everything is working flawlessly:
>
> ssh user1@server.domain from user1@REALM1
> ssh user2@server.domain from user1@REALM1 (with appropriate .k5login)
> user1@server.domain> ksu user2
>
> With user1@REALM2 and server@REALM1 the ksu fail:
>
> ssh user1@server.domain from user1@REALM2 => ok
> ssh user2@server.domain from user1@REALM2 => ok
> user1@server.domain> ksu user2 => Server not found in
> Kerberos database
>
> Apparently in the second case ksu try to require a TGS in the form of
> server@REALM2 which doesn't exist indeed
>
> Any idea why ?
>
> krb5.conf:
>
> [libdefaults]
> default_realm = REALM1
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> [realms]
> REALM1 = {
> kdc = ...
> }
> REALM2 = {
> kdc = ...
> }
>
> [domain_realm]
> domain = REALM1
>
> [capaths]
> REALM1 = { REALM2 = . }
> REALM2 = { REALM1 = . }
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
