Jos Backus writes:
> On Tue, Jul 29, 2008 at 12:26:17PM -0700, Russ Allbery wrote:


>> I believe this was to support server-side referrals. The idea is that
>> the client will ask the server for a principal with an empty realm and
>> the server will figure out the realm.


> *nod* As it stands, without a matching domain_realm entry, the realm
> remains empty.


> This broke our setup between CentOS 4 (Kerberos 1.5) and CentOS 5
> (Kerberos 1.6.1) , where ssh'in into a box fails with `Wrong principal
> in request'. Adding some debugging from 1.6.3 reveals that the offered
> principal is `host/fqdn@REALM' whereas the expected principal (returned
> from krb5_sname_to_principal()) is `host/fqdn@'.


Yes, you're having the same situation that we did, where the change to
support referrals broke other software. My only experience with it has
been in the area of where it broke things.

We solved the problems we ran into by making sure that we had domain_realm
mappings on the client, since otherwise ksu stopped working. I think ksu
has now been fixed in Subversion, though.

--
Russ Allbery (rra@stanford.edu)