[38627] in Kerberos
ksu / cross-realm
daemon@ATHENA.MIT.EDU (Benoit PLESSIS)
Thu Nov 7 04:55:23 2019
From: Benoit PLESSIS <benoit.plessis@powerboutique.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 7 Nov 2019 09:55:00 +0000
Message-ID: <092d672d-48ff-26f2-6a12-12aad803fa07@powerboutique.com>
Content-Language: en-US
Content-ID: <8D225D52AE94BE47809AF500FE42B464@EURP189.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi guys,
I'm having some unexpected difficulties with ksu in a multi-realm
environment.
With user1@REALM1 and server.domain@REALM1 everything is working flawlessly:
ssh user1@server.domain from user1@REALM1
ssh user2@server.domain from user1@REALM1 (with appropriate .k5login)
user1@server.domain> ksu user2
With user1@REALM2 and server@REALM1 the ksu fail:
ssh user1@server.domain from user1@REALM2 => ok
ssh user2@server.domain from user1@REALM2 => ok
user1@server.domain> ksu user2 => Server not found in
Kerberos database
Apparently in the second case ksu try to require a TGS in the form of
server@REALM2 which doesn't exist indeed
Any idea why ?
krb5.conf:
[libdefaults]
default_realm = REALM1
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
REALM1 = {
kdc = ...
}
REALM2 = {
kdc = ...
}
[domain_realm]
domain = REALM1
[capaths]
REALM1 = { REALM2 = . }
REALM2 = { REALM1 = . }
--
Benoit
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
