[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cross-realm difficulties
Priit Randla wrote:
> Love wrote:
>
>> Priit Randla <priit.randla@eyp.ee> writes:
>>
>>
>>
>>> Heimdal kdc (BBB) logs says:
>>> TGS-REQ priitr@AAA from IPv4:172.26.209.15 for host/srv1.bbb@BBB
>>> [renewable, forwardable]
>>> Client not found in database: priitr@AAA: No such entry in the database
>>> cross-realm AAA -> BBB
>>> sending 131 bytes to IPv4:172.26.209.15
>>>
>>> krb5.conf has both realms described on all involved computers and
>>> ticket forward works for AAA->AAA and BBB->BBB.
>>>
>>> Where should I look next? Anything? Kindly please ... :-).
>>>
>>
>>
>> You should check the time on the BBB kdc, and the ticket lifetime on the
>> krbtgt/BBB@AAA in the BBB realm.
>>
>>
> Time is same on both AAA and BBB kdc's - all servers and
> workstations are using NTP to
> maintain their clocks. And I verified it too ;-).
>
Hello,
I found the culprit - KDC for AAA was handing out TGT with renewable
flag set and maximum renewable lifetime of 0.
Heimdal got that TGT@AAA from openssh and decided that TGT is invalid.
No idea, if those tickets are valid or not, at least they always worked
so far with MIT and AD...
Regards,
Priit