incorrect server principal in TGS-REQ

Dave Daugherty dave.daugherty at
Fri Nov 17 17:40:53 GMT 2006

Love Hörnquist Åstrand Sent: Thursday, November 16, 2006 9:57 PM

>>To: Andrew Bartlett
>17 nov 2006 kl. 01.25 skrev Andrew Bartlett:

>> On Fri, 2006-11-17 at 00:14 +0100, Rafal Szczesniak wrote:
>>> Andrew,
>>> While kerberos AS-REQ is sent with correct (ie. set from command line
>>> argument) realm, I still have incorrect one in TGS-REQ. Tracing this
>>> code a little bit I found that it is connected with inability to find
>>> some particular server's realm name (krb5_sname_to_principal). That's
>>> the place where kerberos code still uses default realm instead of
>>> what's been passed in command line.
>> Hmm.

> Windows seems have this habit of sending the first tgs-req to the  
> local realm
> and trust referrals to redirect the client to the right place.

> Love

Not sure about Heimdal Kerberos, but MIT Kerberos ignores the Windows ticket referrals.  Double check krb5.conf to make sure it is configured properly.  If you have an AD forest with multiple roots, you will need to manually construct a [capaths] section to let the library know how to follow the path of trust.

Dave Daugherty

More information about the samba-technical mailing list