[19328] in Kerberos
Cross realm authentication between MTI and Heimdal
daemon@ATHENA.MIT.EDU (Tillman)
Wed May 28 18:19:21 2003
Date: Wed, 28 May 2003 16:19:40 -0600
From: Tillman <tillman@seekingfire.com>
To: kerberos@mit.edu
Message-ID: <20030528161940.S9113@seekingfire.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Errors-To: kerberos-bounces@mit.edu
Host Pluto is my MIT KDC. Host Pmax is a Heimdal KDC I'm trying to set
up a bi-drectional cross realm trust with.
I've read FAQ2.15, but I'm still running into problems. Here's what I
have so far:
On host Pluto:
kadmin.local: listprincs kr*
krbtgt/SEEKINGFIRE.PRV@SEEKINGFIRE.PRV
krbtgt/SEEKINGFIRE.PRV@SMITHCLAN.CA
krbtgt/SMITHCLAN.PRV@SEEKINGFIRE.PRV
On host Pmax:
kadmin> list krb*
krbtgt/SMITHCLAN.PRV@SMITHCLAN.PRV
krbtgt/SMITHCLAN.PRV@SEEKINGFIRE.PRV
krbtgt/SEEKINGFIRE.PRV@SMITHCLAN.PRV
My current set of tickets:
Default principal: tillman@SEEKINGFIRE.PRV
Valid starting Expires Service principal
05/27/03 09:00:12 06/24/03 09:00:12 krbtgt/SEEKINGFIRE.PRV@SEEKINGFIRE.PRV
05/27/03 09:00:16 06/24/03 09:00:12 host/athena.seekingfire.prv@SEEKINGFIRE.PRV
05/27/03 14:30:35 06/24/03 09:00:12 host/athena.seekingfire.prv@SEEKINGFIRE.PRV
05/27/03 15:05:38 06/24/03 09:00:12 host/blues.seekingfire.prv@SEEKINGFIRE.PRV
05/28/03 10:12:55 06/24/03 09:00:12 krbtgt/SMITHCLAN.PRV@SEEKINGFIRE.PRV
The result of a cross realm Kerberized telnet:
$ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca
Trying 192.168.8.2...
Connected to calvin.smithclan.ca (192.168.8.2).
Escape character is '^]'.
Waiting for encryption to be negotiated...
Authentication negotation has failed, which is required for
encryption. Good bye.
Roots .k5login on Calvin (an application server in SMITHCLAN.CA):
tillman@SMITHCLAN.PRV
tillman@SEEKINGFIRE.PRV
Internally, both realms work. It's just the connection from one to the
other via cross realm trust (and .k5login) that's failing.
I've tried Google for the "Authentication negotation has failed" string
but I'm not finding anything related to cross realm trusts. It appears
to be at least partially working - I have the cross realm TGT.
Is there anything obvious that I'm missing or doing wrong?
-T
--
Zen is the unsymbolization of the world.
R.H. Blyth
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
