The AS returns a TGT with the client's requested IP addresses listed as the valid addresses from which the ticket can be used. The fact that you actually get an initial ticket but fail to get other tickets later indicates that your gateway is asking for the wrong set of IP addresses in the AS request. Two things can be the cause of this, AFAIK: 1) incorrect setup of the hosts name service on the host 2) NAT _between_ the host and the KDC The setup of the hosts name service on the gateway should be such that gethostbyname() on the gateway's hostname returns the either the inside IP address (the one the KDC sees) or all the gateway's IP addresses. If you can't fix the problem you can always hack pam_krb5 so you can specify additional IP addresses to include in the AS request via arguments to auth pam_krb5. Nico On Tue, Oct 10, 2000 at 09:31:27PM -0400, Wes Brown wrote: > On Tue, Oct 10, 2000 at 06:06:30PM +0100, Mayers, Philip J wrote: > > There are known difficulties with multihomed kerberos boxes. Try this: > > > > http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#multihomed > > http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbdns > > > > Regards, > > Phil > > Thank you for the information, but I can kinit from the system in question > and my TGT is received fine. I believe the pam_krb5 module authenticates > the user by whether or not a TGT can be retrieved from the KDC. > > Wes > --- > Wes Brown > ewb4@po.cwru.edu wes@smellycat.com > http://prozac.cwru.edu/wes/About.me.html > KB8TGR > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list --
