[1047] in Kerberos
Re: inter-realm authentication
daemon@ATHENA.MIT.EDU (Jon A. Rochlis)
Thu Jul 12 15:08:38 1990
From: jon@MIT.EDU (Jon A. Rochlis)
To: alfonso%agena.usc.edu@USC.EDU (Tasha Alfonso)
Cc: kerberos@ATHENA.MIT.EDU, alfonso@AGENA.USC.EDU, cocchi@JERICO.USC.EDU
In-Reply-To: Your message of Wed, 11 Jul 90 19:54:35 -0700.
Date: Thu, 12 Jul 90 13:23:05 EDT
From: alfonso%agena.usc.edu@usc.edu (Tasha Alfonso)
To: kerberos@ATHENA.MIT.EDU
Cc: alfonso@agena.usc.edu, cocchi@jerico.MIT.EDU
Subject: inter-realm authentication
Your mailer doesn't seem to fully quailify cc'd domain names (i.e.
jerico.MIT.EDU probably wants to be jerico.usc.edu)
We interpreted the instructions for inter-realm authentication outlined
in this message and made the following entries:
It's very important that krbtgt.USC2.EDU@USC.EDU and
krbtgt.USC.EDU@USC2.EDU both have the same private keys. Is this the
case? It isn't clear to me from your message if you did that part correctly.
If we try kinit -r, we obtain a tgt ticket to the remote
ticket granting service. That seems to work.
You shouldn't need to kinit -r. The following is the sequence of
tickets that should be obtianed if root@USC.EDU wishes to authenticate
to visa.pompei@USC2.EDU:
(1) krbtgt.USC.EDU@USC.EDU
(2) krbtgt.USC2.EDU@USC.EDU [by presenting (1) to the
USC.EDU krb server]
(3) visa.pompei@USC2.EDU [by presenting (2) to the USC2.EDU krb
server, which is able to decode this
TGT because it is encrypted in the
same key as krbtgt.USC.EDU@USC2.EDU
which the USC2.EDU krb servers have in
their db]
Steps (2) and (3) should happen automagically when you ask
krb_sendauth or krb_mk_req to get a ticket for visa.pompei@USC2.EDU.
Which of these tickets do you get? What do the kerberos.log files on
both servers say?
-- Jon
