Kerberos: final note.
Just a little followup to my two previous blog posts about kerberos:
Kerberos needs a few things to be set up correctly before it'll work. If you've set up everything correctly as I explained it previously, and it doesn't work, make sure you have these done right:
- Parts of the kerberos protocol require your computer's clocks to be in sync (with a slight error margin; I believe 10 minutes is the default). Using NTP is one way of achieving this.
- Other parts of the MIT implementation rely on forward/reverse name resolving of localhost to work. The details are uninteresting, but in general, if you say ping localhost, then the replies you get should contain your FQDN. If they don't, fiddle with /etc/hosts until they do.
Posted since I just revived newwave, my Quara 700, which hadn't been kerberized yet, bumped against the latter of the above two points, and played with the machine for a few hours until I realized what the problem was... and because this wasn't the first time that it happened and, I guess, not the last time either.
in a lot of places, like here (the indiana.edu kerberos domain...), the time-sync restrictions on kerberos are set down to 5 minutes.
5 minutes is just enough to be a pain if you have a machine with serious clock driftage
--elijah