[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cross-realm difficulties




Priit Randla <priit.randla@eyp.ee> writes:

> Heimdal kdc (BBB) logs says:
> TGS-REQ priitr@AAA from IPv4:172.26.209.15 for host/srv1.bbb@BBB
> [renewable, forwardable]
> Client not found in database: priitr@AAA: No such entry in the database
> cross-realm AAA -> BBB
> sending 131 bytes to IPv4:172.26.209.15
>
> krb5.conf has both realms described on all involved computers and
> ticket forward works for AAA->AAA and BBB->BBB.
>
> Where should I look next? Anything? Kindly please ... :-).

You should check the time on the BBB kdc, and the ticket lifetime on the
krbtgt/BBB@AAA in the BBB realm.

Its easier to check with kvno (MIT kerberos) or kgetcred (Heimdal) to
verify that the cross realm auth works.

Ie, with AAA credentials, type "kgetcred host/computer@BBB".

Love

PGP signature