[19329] in Kerberos
Re: Cross realm authentication between MTI and Heimdal
daemon@ATHENA.MIT.EDU (Tillman)
Wed May 28 18:29:42 2003
Date: Wed, 28 May 2003 16:30:46 -0600
From: Tillman <tillman@seekingfire.com>
To: kerberos@mit.edu
Message-ID: <20030528163046.T9113@seekingfire.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030528161940.S9113@seekingfire.com>;
from tillman@seekingfire.com on Wed, May 28, 2003 at 04:19:40PM -0600
Errors-To: kerberos-bounces@mit.edu
On Wed, May 28, 2003 at 04:19:40PM -0600, Tillman wrote:
> The result of a cross realm Kerberized telnet:
>
> $ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca
> Trying 192.168.8.2...
> Connected to calvin.smithclan.ca (192.168.8.2).
> Escape character is '^]'.
> Waiting for encryption to be negotiated...
> Authentication negotation has failed, which is required for
> encryption. Good bye.
Following up on my own post, here's a authdebug'ed telnet session:
$ telnet -x -l toor -k SMITHCLAN.CA
telnet> toggle authdebug
auth debugging enabled
telnet> open calvin.smithclan.ca
Trying 192.168.8.2...
Connected to calvin.smithclan.ca (192.168.8.2).
Escape character is '^]'.
>>>TELNET: I support auth type 2 6
>>>TELNET: I support auth type 2 2
>>>TELNET: I support auth type 2 0
>>>TELNET: I support auth type 1 2
>>>TELNET: I support auth type 1 0
Waiting for encryption to be negotiated...
>>>TELNET: auth_send got: 02 02 02 00 06 00
>>>TELNET: He supports 2
>>>TELNET: Trying 2 2
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos
database)
>>>TELNET: He supports 2
>>>TELNET: Trying 2 0
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos
database)
>>>TELNET: He supports 6
>>>TELNET: Sent failure message
Authentication negotation has failed, which is required for
encryption. Good bye.
Hopefully this helps diagnose things - the server no found seems odd,
because if it's talking about the host principal it definitely exists
(evidenced by the fact that when I have a ticket from the SMITHCLAN.CA
realm I can telnet -x to it normally).
The relevent sections of my krb5.conf look like this:
[realms]
SEEKINGFIRE.PRV = {
kdc = pluto.seekingfire.prv:88
admin_server = pluto.seekingfire.prv:749
default_domain = seekingfire.prv
}
SMITHCLAN.PRV = {
kdc = 192.168.8.49:88
default_domain = smithclan.ca
}
-T
--
"Surely the 4 sysadmins of the apocalypse should be:
edquota, rm -rf, kill -9, and shutdown."
- Rob Blake
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
