[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cross-realm difficulties
Priit Randla wrote:
> Love wrote:
>> Priit Randla <firstname.lastname@example.org> writes:
>>> Heimdal kdc (BBB) logs says:
>>> TGS-REQ priitr@AAA from IPv4:172.26.209.15 for host/srv1.bbb@BBB
>>> [renewable, forwardable]
>>> Client not found in database: priitr@AAA: No such entry in the database
>>> cross-realm AAA -> BBB
>>> sending 131 bytes to IPv4:172.26.209.15
>>> krb5.conf has both realms described on all involved computers and
>>> ticket forward works for AAA->AAA and BBB->BBB.
>>> Where should I look next? Anything? Kindly please ... :-).
>> You should check the time on the BBB kdc, and the ticket lifetime on the
>> krbtgt/BBB@AAA in the BBB realm.
> Time is same on both AAA and BBB kdc's - all servers and
> workstations are using NTP to
> maintain their clocks. And I verified it too ;-).
I found the culprit - KDC for AAA was handing out TGT with renewable
flag set and maximum renewable lifetime of 0.
Heimdal got that TGT@AAA from openssh and decided that TGT is invalid.
No idea, if those tickets are valid or not, at least they always worked
so far with MIT and AD...