[36092] in Kerberos
Re: kinit is ok, but ssh is not
daemon@ATHENA.MIT.EDU (Kenneth MacDonald)
Fri May 2 12:50:38 2014
From: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>
To: kerberos@mit.edu
In-Reply-To: <5363C94A.5030802@imperial.ac.uk>
Date: Fri, 02 May 2014 17:50:00 +0100
Message-ID: <1399049400.5790.497.camel@ion.is.ed.ac.uk>
Mime-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 2014-05-02 at 17:35 +0100, Giuseppe Mazza wrote:
> Dear All,
>
> I have built a test infrastructure as below:
> gm-u1204 = Ubuntu12.04 server running my kdc (realm -> GML.DOC.IC.AC.UK)
> gm-win2012 = Windows 2012 running my dc (domain -> GMW.DOC.IC.AC.UK)
>
> I have setup a nontransitive trust, i.e.
> "One-way: incoming Users in this domain GMW.DOC.IC.AC.UK
> can be authenticated in the specified realm GML.DOC.IC.AC.UK
> "
>
> 1] I can
> mazza@gm-u1204:~$ kinit giuseppe@GMW.DOC.IC.AC.UK
> mazza@gm-u1204:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_1002
> Default principal: giuseppe@GMW.DOC.IC.AC.UK
>
> Valid starting Expires Service principal
> 02/05/14 15:55:17 03/05/14 01:55:34
> krbtgt/GMW.DOC.IC.AC.UK@GMW.DOC.IC.AC.UK
> renew until 03/05/14 15:55:17
>
> 2] but I can not
> mazza@gm-u1204:~$ ssh -vvv giuseppe@gm-u1204
> ...
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure. Minor code may provide more information
> Cannot find KDC for requested realm
> ...
> debug1: Next authentication method: password
> giuseppe@gm-u1204's password:
>
> and I am asked for giuseppe's password :-(
>
> I have noticed the "Cannot find KDC for requested realm" message above.
>
> My /etc/krb5.conf contains the lines below:
>
>
> root@gm-u1204:~# grep -A 1 -B 2 GML /etc/krb5.conf
> [libdefaults]
> default_realm = GML.DOC.IC.AC.UK
> rdns = false
> --
> # in the section below:
> [realms]
> GML.DOC.IC.AC.UK = {
> kdc = gml.doc.ic.ac.uk
> --
> # in the section below:
> [domain_realm]
> .doc.ic.ac.uk = GML.DOC.IC.AC.UK
> doc.ic.ac.uk = GML.DOC.IC.AC.UK
> .mit.edu = ATHENA.MIT.EDU
>
>
>
> root@gm-u1204:~# grep -A 2 GMW /etc/krb5.conf
> GMW.DOC.IC.AC.UK = {
> kdc = gm-win2012.doc.ic.ac.uk:88
> default_domain = doc.ic.ac.uk
>
>
> I wonder if you could provide some help to solve my problem.
Shouldn't the kdc for GML.DOC... be "gm-u1204.doc.ic.ac.uk" instead of
"gml.doc.ic.ac.uk" in your krb5.conf?
Cheers,
Kenny.
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
