krb auth weirdness found out

Sam Liddicott sam at
Fri Apr 3 07:56:37 GMT 2009

* Andrew Bartlett wrote, On 03/04/09 02:28:
> On Thu, 2009-04-02 at 15:11 +0100, Sam Liddicott wrote:
>> I have the answer (which turns out to be another question) after
>> spending a couple of dreary days investigating why I get
>> dcerpc_bind_auth_send() from openchange (with specified creds) causing
>> errors like this:
>> kinit for Sam at GALAXY failed (Cannot contact any KDC for requested realm:
>> unable to reach any KDC in realm GALAXY)
>> Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for
>> requested realm
>> Cannot reach a KDC we require to contact host at NOVA
>> Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
>> (when GALAXY is a domain value not a REALM value which should be
>> galaxy.test.dbamsystems.local) and I have to wait for the time it takes
>> to fail this before it continues with the NTML auth (which is what it
>> should have been doing all along).
> If GALAXY was in the krb5.conf as a realm, it would actually work
> (strange, but true).
Yeah, I'd found that, but then I was failing with these ASN.1 errors, so
I followed this path to see where it led and ended up in the same place
with the same ASN.1 errors :-(
> What we need is to provide a DC location plugin to Heimdal that does a
> lookup for the DCs in that domain, and returns them as possible kerberos
> KDCs.
Does it make sense for an old windows domain to be part of a
krb5_principal, even briefly?

If so, then maybe you are right and it looks like
krb5_principal_get_realm() is a good stub function, or

I'm not certain that this lookup belongs in Heimdal or that a
krb5_principal should ever hold a domain (unless the the realm member is
badly named).

Surely such a lookup should be called from
cli_credentials_get_principal, which is not part of Heimdal? - so that
the krb5_principal never holds a domain, but only a kerbros realm. The
file credentials.c which holds this function seems to manage enough
callbacks that one could be installed for converting from domains to realms.


More information about the samba-technical mailing list