[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cross realm authentication details

Brandon S. Allbery KF8NH wrote:

> On Apr 30, 2006, at 5:31 , Jacob Yocom-Piatt wrote:
>> i have tried doing this by adding 2 principals, krbtgt/REALM. 
>> 1@REALM.2 and
>> krbtgt/REALM.2@REALM.1, to my KDC via the kadmin interface using
>> add --random-key krbtgt/REALM.1@REALM.2
>> add --random-key krbtgt/REALM.2@REALM.1
> I don't think that's going to work:  the principals need to have the  
> same key, whereas --random-key will generate a distinct (hopefully)  
> random key for each one.

No, I think he did it correctly. There are two principals one for each
direction with seperate keys. Normaly you have to add each principal to
both realms for a total of 4 add operations. But since the realms are
sharing the database you should only need to do two add operations.

The error message says "Bad request for forwardable ticket"
so to prove the cross realm works, try not doing forwarding,
which could be done with sGSSAPIDelegateCredentialsomething like:

   ssh -o "GSSAPIDelegateCredentials no"

Also make sure the user's .k5login is updated.

Also make sure the initial TGT from kinit got a forwardable ticket,
i.e. kinit -f ...



  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444