[1046] in Kerberos

home help back first fref pref prev next nref lref last post

inter-realm authentication

daemon@ATHENA.MIT.EDU (Tasha Alfonso)
Wed Jul 11 23:42:23 1990

Date: Wed, 11 Jul 90 19:54:35 PDT
From: alfonso%agena.usc.edu@usc.edu (Tasha Alfonso)
To: kerberos@ATHENA.MIT.EDU
Cc: alfonso@agena.usc.edu, cocchi@jerico.MIT.EDU



what we want to do:

We have two independant realms, USC.EDU and USC2.EDU.  Our own network
service application, visa, is registered in realm USC2.EDU.  A user
(root) is registered in the realm USC.EDU and needs to be
authenticated to the visa service in realm USC2.EDU.  More
specificaly, root.@USC.EDU needs inter-realm authentication to
visa.pompei@USC2.EDU, where visa is the principal/service, pompei is
the instance and USC2.EDU is the realm.

Without success, we followed instructions found in the kerberos mail
archive:

	[0444] daemon@TELECOM.MIT.EDU  Kerberos  07/12/88 14:29 (50 lines)
	Subject: Re: Crossing Realms
	From: Jon Rochlis <jon@BITSY.MIT.EDU>
	To: Doug Alan <nessus@ATHENA.MIT.EDU>
	Cc: kerberos@ATHENA.MIT.EDU
	In-Reply-To: Doug Alan's message of Tue, 12 Jul 88 00:57:52 EDT,
	

We interpreted the instructions for inter-realm authentication outlined
in this message and made the following entries:

REALM	USC.EDU	
	kerberos server in this realm is xanadu.usc.edu

	kdb_edit to add principal krbtgt, instance USC2.EDU

	added to /usr/etc/credentials
	(this filesystem is shared by xanadu and pompei so the 
	access grants for both root@pompei and root@xanadu are in
	the same file)
		root@xanadu.usc.edu:0
		root@pompei.usc.edu:0
	
	added to /etc/krb.realm
		pompei.usc.edu USC2.EDU

	added to /etc/krb.conf
		USC2.EDU pompei.usc.edu

REALM 	USC2.EDU
	kerberos server in this realm is pompei.usc.edu

	kdb_edit to add principal krbtgt, instance USC.EDU

	added to /usr/etc/credentials
	(this filesystem is shared by xanadu and pompei so the 
	access grants for both root@pompei and root@xanadu are in
	the same file)
		root@xanadu.usc.edu:0
		root@pompei.usc.edu:0

	added to /etc/krb.realm
		xanadu.usc.edu USC.EDU

	added to /etc/krb.conf
		USC.EDU xanadu.usc.edu
		
Results/errors

If we try kinit -r, we obtain a tgt ticket to the remote
ticket granting service.  That seems to work.
However, when we try authenticating to the remote service
we got the following kerberos error message:

krb_rd_req returned 31: Can't decode authenticator (krb_rd_req)


Is this the correct procedure to inter-realm authentication?
Any help is much appreciated!
Thanks,

Tasha Alfonso
Ron Cocchi
home help back first fref pref prev next nref lref last post