[23625] in Kerberos
Re: Solaris 9 Cross Realm Authentication Problems
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Sat Apr 2 16:47:46 2005
Date: Sat, 02 Apr 2005 16:46:24 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: darren.hoch@litemail.org
Message-ID: <7B1894BF811333D1C3B83881@sirius.fac.cs.cmu.edu>
In-Reply-To: <424E4AB4.3060509@litemail.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
cc: webmaster@litemail.org
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
On Friday, April 01, 2005 11:33:08 PM -0800 Darren Hoch
<darren.hoch@litemail.org> wrote:
> Hello All,
>
> Thanks Jeffery. I deleted the old krbtgt principals and added the
> following on each host:
>
> krbtgt/EXAMPLE.COM@EXAMPLE1.COM
> krbtgt/EXAMPLE1.COM@EXAMPLE.COM
>
> I am almost there. When user darren now tries to telnet (kerberized) from
> a host in realm EXAMPLE.COM to a host in EXAMPLE1.COM, the credentials
> and encryption are accepted, however, I am still prompted for a password
> for the user darren in realm EXAMPLE1.COM. Shoud I be prompted, or should
> I be able to do single sign on?
It sounds like now you are successfully authenticating to the telnet
server, and the authorization check is failing. This is not surprising,
since the default policy only allows you to log in as user 'foo' if you are
authenticated as the principal 'foo@LOCAL.REALM'. You can override the
local policy for a given user by giving that user a .k5login file listing
the principals who are allowed to log in as him. For example, you could
give 'darren' a .k5login file containing the following two lines:
darren@EXAMPLE.COM
darren@EXAMPLE1.COM
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos