[23795] in Kerberos

home help back first fref pref prev next nref lref last post

Re: openssh single-sing-on problem

daemon@ATHENA.MIT.EDU (Klavs Klavsen)
Fri Apr 29 04:37:40 2005

Message-ID: <4271F224.9090404@vsen.dk>
Date: Fri, 29 Apr 2005 10:36:52 +0200
From: Klavs Klavsen <kl@vsen.dk>
MIME-Version: 1.0
To: Kevin Coffman <kwc@citi.umich.edu>
In-Reply-To: <20050428132331.78CB91BBB8@citi.umich.edu>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

on 04/28/05 15:23 Kevin Coffman wrote:
[SNIP]

> The client (auth01.example.dk) thinks that the (ssh) server
> (hostname?) is in a different realm (PROD.DK.EXAMPLE.NET) and is
> trying to get a cross-realm ticket. Check the [domain_realm]
> stanza of your /etc/krb5.conf file on the client and make sure that
> the ssh server's hostname maps to the correct realm (EXAMPLE.DK).

I checked the krb5.conf on server and client and they seem exactly
alike to me :(

the server (kdc) krb5.conf:
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = EXAMPLE.DK
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.DK = {
  kdc = auth01.telmore.dk:88
  admin_server = auth01.example.dk:749
  default_domain = example.dk
 }

[domain_realm]
 .example.dk = EXAMPLE.DK
 example.dk = EXAMPLE.DK

[kdc]

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

and on the client:
[libdefaults]
 default_tkt_enctypes = des-cbc-crc;  des-cbc-md5
 default_tgs_enctypes = des-cbc-crc; des-cbc-md5
 ticket_lifetime = 24000
 default_realm = EXAMPLE.DK
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.DK = {
  kdc = udp/auth01.example.dk:88
 }

[domain_realm]
 .example.dk = EXAMPLE.DK
 example.dk = EXAMPLE.DK

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

any obvious errors?

- --
Regards,
Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8  B8DA 3D3A 0B79 7E06 3C62

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCcfIkPToLeX4GPGIRAix7AJ9hodDh69jG6fHIs2EWEL3u4ZLlrwCeKB19
NUjb2T2QYRDmSoJuiTY6kRs=
=gIW9
-----END PGP SIGNATURE-----

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post