© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Update:
After some more investigation, I got it to work in a specific situation. SSH will not segfault and it will not produce an Access Denied message if the following is true:
1) An /etc/krb5.conf file exists with a "default_realm = <yourrealmname>" entry in the [libdefaults] section.
2) There is no "pam {<youroptions>}" in the [appdefaults] section of the /etc/krb5.conf file.
Observations:
a) The mere existence of a "pam {<youroptions>}" entry in /etc/krb5.conf causes the segfault.
b) The lack of any /etc/krb5.conf file causes the Access Denied message.
Without an /etc/krb5.conf file, Heimdal Kerberos is supposed to be able to glean this information from DNS if it exists. As such, in an Active Directory environment, there should be no issues here because the necessary information is always available. To make extra sure, I added a _kerberos TXT record pointing to my realm because this isn't normally visible in MS DNS by default. This made no difference.
It's still not clear to me why an explicit mention of the default realm is required in the krb5.conf file when this information is available via DNS. Perhaps someone else has an idea?
Oliver