[36091] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

kinit is ok, but ssh is not

daemon@ATHENA.MIT.EDU (Giuseppe Mazza)
Fri May 2 12:35:55 2014

Message-ID: <5363C94A.5030802@imperial.ac.uk>
Date: Fri, 02 May 2014 17:35:22 +0100
From: Giuseppe Mazza <g.mazza@imperial.ac.uk>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Dear All,

I have built a test infrastructure as below:
gm-u1204 = Ubuntu12.04 server running my kdc (realm -> GML.DOC.IC.AC.UK)
gm-win2012 = Windows 2012 running my dc (domain -> GMW.DOC.IC.AC.UK)

I have setup a nontransitive trust, i.e.
"One-way: incoming Users in this domain          GMW.DOC.IC.AC.UK
 can be authenticated in the specified realm     GML.DOC.IC.AC.UK
"

1] I can
mazza@gm-u1204:~$ kinit giuseppe@GMW.DOC.IC.AC.UK
mazza@gm-u1204:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: giuseppe@GMW.DOC.IC.AC.UK

Valid starting     Expires            Service principal
02/05/14 15:55:17  03/05/14 01:55:34
krbtgt/GMW.DOC.IC.AC.UK@GMW.DOC.IC.AC.UK
	renew until 03/05/14 15:55:17

2] but I can not
mazza@gm-u1204:~$ ssh -vvv giuseppe@gm-u1204
...
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot find KDC for requested realm
...
debug1: Next authentication method: password
giuseppe@gm-u1204's password:

and I am asked for giuseppe's password :-(

I have noticed the "Cannot find KDC for requested realm" message above.

My /etc/krb5.conf contains the lines below:


root@gm-u1204:~# grep -A 1 -B 2 GML /etc/krb5.conf
[libdefaults]
	default_realm = GML.DOC.IC.AC.UK
	rdns = false
--
# in the section below:
[realms]
        GML.DOC.IC.AC.UK = {
                kdc = gml.doc.ic.ac.uk
--
# in the section below:
[domain_realm]
	.doc.ic.ac.uk = GML.DOC.IC.AC.UK
	doc.ic.ac.uk = GML.DOC.IC.AC.UK
	.mit.edu = ATHENA.MIT.EDU



root@gm-u1204:~# grep -A 2 GMW /etc/krb5.conf
        GMW.DOC.IC.AC.UK = {
                kdc = gm-win2012.doc.ic.ac.uk:88
		default_domain = doc.ic.ac.uk


I wonder if you could provide some help to solve my problem.

Thank you in advance,
Giuseppe
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[36091] in Kerberos

kinit is ok, but ssh is not

daemon@ATHENA.MIT.EDU (Giuseppe Mazza)Fri May 2 12:35:55 2014

daemon@ATHENA.MIT.EDU (Giuseppe Mazza)
Fri May 2 12:35:55 2014