[23623] in Kerberos
Re: Solaris 9 Cross Realm Authentication Problems
daemon@ATHENA.MIT.EDU (Darren Hoch)
Sat Apr 2 02:36:53 2005
Message-ID: <424E4AB4.3060509@litemail.org>
Date: Fri, 01 Apr 2005 23:33:08 -0800
From: Darren Hoch <darren.hoch@litemail.org>
MIME-Version: 1.0
To: Jeffrey Hutzelman <jhutz@cmu.edu>
In-Reply-To: <5194F2F28886E59E917FAF02@sirius.fac.cs.cmu.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: webmaster@litemail.org
cc: kerberos@mit.edu
Reply-To: darren.hoch@litemail.org
Errors-To: kerberos-bounces@mit.edu
Hello All,
Thanks Jeffery. I deleted the old krbtgt principals and added the
following on each host:
krbtgt/EXAMPLE.COM@EXAMPLE1.COM
krbtgt/EXAMPLE1.COM@EXAMPLE.COM
I am almost there. When user darren now tries to telnet (kerberized)
from a host in realm EXAMPLE.COM to a host in EXAMPLE1.COM, the
credentials and encryption are accepted, however, I am still prompted
for a password for the user darren in realm EXAMPLE1.COM. Shoud I be
prompted, or should I be able to do single sign on?
Thanks,
Darren
server1.example.com -> telnet -a -f -x horn.example1.com
Trying 10.16.1.21...
Connected to horn.example1.com (10.16.1.21).
Escape character is '^]'.
Waiting for encryption to be negotiated...[ Kerberos V5 accepts you as :
:``darren@EXAMPLE.COM'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
Password for darren:
Last login: Fri Apr 1 22:58:31 on pts/2
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
Welcome to Sol9_FCS on horn
horn.example1.com -> klist
Ticket cache: /tmp/krb5cc_100
Default principal: darren@EXAMPLE1.COM
Valid starting Expires
Service principal
Fri Apr 01 23:02:07 2005 Sat Apr 02 07:02:07 2005
krbtgt/EXAMPLE1.COM@EXAMPLE1.COM
>
>> kadmin: lisprincs
>> <snip>
>> krbtgt/example1.com@EXAMPLE2.COM
>> krbtgt/example2.com@EXAMPLE1.COM
>> krbtgt/example1.com@EXAMPLE.COM
>
>
> The second components of each of these principal names must exactly
> match the name of the realm involved, including case. So, for
> example, for a client in the EXAMPLE1.COM realm to authenticate to a
> service in the EXAMPLE.COM realm, you need
> krbtgt/EXAMPLE.COM@EXAMPLE1.COM to exist. Of course, it needs to
> exist in both realms and have the same key and kvno in both places.
>
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
> Sr. Research Systems Programmer
> School of Computer Science - Research Computing Facility
> Carnegie Mellon University - Pittsburgh, PA
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos