[19330] in Kerberos
Re: Cross realm authentication between MTI and Heimdal
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu May 29 10:35:46 2003
Message-ID: <3ED61A63.F08C2D99@anl.gov>
Date: Thu, 29 May 2003 09:34:11 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Tillman <tillman@seekingfire.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Tillman wrote:
>
> Host Pluto is my MIT KDC. Host Pmax is a Heimdal KDC I'm trying to set
> up a bi-drectional cross realm trust with.
>
> I've read FAQ2.15, but I'm still running into problems. Here's what I
> have so far:
>
> On host Pluto:
> kadmin.local: listprincs kr*
> krbtgt/SEEKINGFIRE.PRV@SEEKINGFIRE.PRV
> krbtgt/SEEKINGFIRE.PRV@SMITHCLAN.CA
This looks wrong, as it appears the realm name should be SMITHCLAN.PRV,
not SMITHCLAN.CA
> krbtgt/SMITHCLAN.PRV@SEEKINGFIRE.PRV
>
> On host Pmax:
> kadmin> list krb*
> krbtgt/SMITHCLAN.PRV@SMITHCLAN.PRV
> krbtgt/SMITHCLAN.PRV@SEEKINGFIRE.PRV
> krbtgt/SEEKINGFIRE.PRV@SMITHCLAN.PRV
>
> My current set of tickets:
>
> Default principal: tillman@SEEKINGFIRE.PRV
> Valid starting Expires Service principal
> 05/27/03 09:00:12 06/24/03 09:00:12 krbtgt/SEEKINGFIRE.PRV@SEEKINGFIRE.PRV
> 05/27/03 09:00:16 06/24/03 09:00:12 host/athena.seekingfire.prv@SEEKINGFIRE.PRV
> 05/27/03 14:30:35 06/24/03 09:00:12 host/athena.seekingfire.prv@SEEKINGFIRE.PRV
> 05/27/03 15:05:38 06/24/03 09:00:12 host/blues.seekingfire.prv@SEEKINGFIRE.PRV
> 05/28/03 10:12:55 06/24/03 09:00:12 krbtgt/SMITHCLAN.PRV@SEEKINGFIRE.PRV
>
> The result of a cross realm Kerberized telnet:
>
> $ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca
> Trying 192.168.8.2...
> Connected to calvin.smithclan.ca (192.168.8.2).
> Escape character is '^]'.
> Waiting for encryption to be negotiated...
> Authentication negotation has failed, which is required for
> encryption. Good bye.
>
> Roots .k5login on Calvin (an application server in SMITHCLAN.CA):
>
> tillman@SMITHCLAN.PRV
> tillman@SEEKINGFIRE.PRV
>
> Internally, both realms work. It's just the connection from one to the
> other via cross realm trust (and .k5login) that's failing.
>
> I've tried Google for the "Authentication negotation has failed" string
> but I'm not finding anything related to cross realm trusts. It appears
> to be at least partially working - I have the cross realm TGT.
>
> Is there anything obvious that I'm missing or doing wrong?
>
> -T
>
> --
> Zen is the unsymbolization of the world.
> R.H. Blyth
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
