[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cross realm authentication details

i've got my KDC running on openbsd 3.8-release and have 2 realms, REALM.1 and
REALM.2, which both authenticate to the same single KDC. i can get tickets for
each realm from either realm and use them just fine in their respective realms.
having read the documentation at http://www.pdc.kth.se/heimdal/heimdal.html , i
would asssume that that i merely need to add two principals on my single KDC for
both realms to cross authenticate (see section 4.12 of earlier link).

i have tried doing this by adding 2 principals, krbtgt/REALM.1@REALM.2 and
krbtgt/REALM.2@REALM.1, to my KDC via the kadmin interface using

add --random-key krbtgt/REALM.1@REALM.2
add --random-key krbtgt/REALM.2@REALM.1

to test this, i get a ticket for user1@REALM.1 and then attempt to ssh into one
of the hosts in REALM.2 where user1 has an account. this does not work and i see
the following in kdc.log on the KDC

2006-04-30T15:44:52 TGS-REQ user1@REALM.1 from IPv4: for
2006-04-30T15:44:52 TGS-REQ user1@REALM.1 from IPv4: for
2006-04-30T15:44:52 cross-realm REALM.1 -> REALM.2
2006-04-30T15:44:52 TGS-REQ user1@REALM.1 from IPv4: for
krbtgt/REALM.1@REALM.1 [forwarded, forwardable]
2006-04-30T15:44:52 Bad request for forwardable ticket

i have the following krb5.conf on hosts in both realms, with the default realm
modified appropriately

        # Set the realm of this host here
        default_realm = REALM.1

        # Maximum allowed time difference between KDC and this host
        clockskew = 300

        # Uncomment this if you run NAT on the client side of kauth.
        # This may be considered a security issue though.
        # no-addresses = yes

        REALM.1 = {
                # Specify KDC here
                kdc = kerberos.realm.1

                # Administration server, used for creating users etc.
                admin_server = kerberos.realm.1

        # Example of a "foreign" realm
        REALM.2 = {
                kdc = kerberos.realm.1
                admin_server = kerberos.realm.1
                #default_domain = other.domain
                #v4_domains = other.domain

# This sections describes how to figure out a realm given a DNS name
        .realm.1 = REALM.1
        .realm.2 = REALM.2


ssh -vvv doesn't yield any additional debugging info. any ideas on what i'm
doing wrong?

also, is there a way to integrate sudo with heimdal? i thought it would be nice
to have all sudo calls logged in a single place.