[23623] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Solaris 9 Cross Realm Authentication Problems

daemon@ATHENA.MIT.EDU (Darren Hoch)
Sat Apr 2 02:36:53 2005

Message-ID: <424E4AB4.3060509@litemail.org>
Date: Fri, 01 Apr 2005 23:33:08 -0800
From: Darren Hoch <darren.hoch@litemail.org>
MIME-Version: 1.0
To: Jeffrey Hutzelman <jhutz@cmu.edu>
In-Reply-To: <5194F2F28886E59E917FAF02@sirius.fac.cs.cmu.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: webmaster@litemail.org
cc: kerberos@mit.edu
Reply-To: darren.hoch@litemail.org
Errors-To: kerberos-bounces@mit.edu

Hello All,

Thanks Jeffery. I deleted the old krbtgt principals and added the 
following on each host:

krbtgt/EXAMPLE.COM@EXAMPLE1.COM
krbtgt/EXAMPLE1.COM@EXAMPLE.COM

I am almost there. When user darren now tries to telnet (kerberized) 
from a host in realm EXAMPLE.COM to a host in EXAMPLE1.COM, the 
credentials and encryption are accepted, however, I am still prompted 
for a password for the user darren in realm EXAMPLE1.COM. Shoud I be 
prompted, or should I be able to do single sign on?

Thanks,
Darren

server1.example.com -> telnet -a -f -x horn.example1.com
Trying 10.16.1.21...
Connected to horn.example1.com (10.16.1.21).
Escape character is '^]'.
Waiting for encryption to be negotiated...[ Kerberos V5 accepts you as : 
:``darren@EXAMPLE.COM'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
Password for darren:
Last login: Fri Apr  1 22:58:31 on pts/2
Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
Welcome to Sol9_FCS on horn
horn.example1.com -> klist
Ticket cache: /tmp/krb5cc_100
Default principal: darren@EXAMPLE1.COM

Valid starting                       Expires                       
Service principal
Fri Apr 01 23:02:07 2005  Sat Apr 02 07:02:07 2005  
krbtgt/EXAMPLE1.COM@EXAMPLE1.COM


>
>> kadmin: lisprincs
>> <snip>
>> krbtgt/example1.com@EXAMPLE2.COM
>> krbtgt/example2.com@EXAMPLE1.COM
>> krbtgt/example1.com@EXAMPLE.COM
>
>
> The second components of each of these principal names must exactly 
> match the name of the realm involved, including case.  So, for 
> example, for a client in the EXAMPLE1.COM realm to authenticate to a 
> service in the EXAMPLE.COM realm, you need 
> krbtgt/EXAMPLE.COM@EXAMPLE1.COM to exist.  Of course, it needs to 
> exist in both realms and have the same key and kvno in both places.
>
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
>   Sr. Research Systems Programmer
>   School of Computer Science - Research Computing Facility
>   Carnegie Mellon University - Pittsburgh, PA
>

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post