Kerberos: ticket with no REALM after principal name (i.e. `principal@`)

Question

When I run a klist after ssh-ing into a Kerberized instance, I obtain the TGS for the principal host/vmtest001, however, why do I get two of them including one with no REALM after the @ separator?

Here is the output of klist:

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: athena@EXAMPLE.COM

Valid starting     Expires            Service principal
06/13/21 21:05:00  06/14/21 07:05:00  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 06/14/21 21:04:59
06/13/21 21:05:03  06/14/21 07:05:00  host/vmtest001@
        renew until 06/14/21 21:04:59
06/13/21 21:05:03  06/14/21 07:05:00  host/vmtest001@EXAMPLE.COM
        renew until 06/14/21 21:04:59

score 0 · Accepted Answer · answered Jun 13 '21 at 21:57

0

Add this to your /etc/krb5.conf to explicity define the realm's domain:

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

answered Jun 13 '21 at 21:57

explogx

103
2

Kerberos: ticket with no REALM after principal name (i.e. `principal@`)

1 Answers1