[38628] in Kerberos

home help back first fref pref prev next nref lref last post

Re: ksu / cross-realm

daemon@ATHENA.MIT.EDU (Benoit PLESSIS)
Thu Nov 7 06:36:48 2019

From: Benoit PLESSIS <benoit.plessis@powerboutique.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 7 Nov 2019 11:36:19 +0000
Message-ID: <0b8bd826-1b7e-ff35-0f02-2b2f6932dc1c@powerboutique.com>
In-Reply-To: <092d672d-48ff-26f2-6a12-12aad803fa07@powerboutique.com>
Content-Language: en-US
Content-ID: <5CAE414A4CCF8145B9D198E3DA82D32B@EURP189.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit


Ok, sorry for the noise, it seems to be related to really old distro
packages in fact

On recently-ish release it work as expected

On 07/11/2019 10:55, Benoit PLESSIS wrote:
> Hi guys,
>
> I'm having some unexpected difficulties with ksu in a multi-realm
> environment.
>
> With user1@REALM1 and server.domain@REALM1 everything is working flawlessly:
>
>     ssh user1@server.domain from user1@REALM1
>     ssh user2@server.domain from user1@REALM1 (with appropriate .k5login)
>     user1@server.domain> ksu user2
>
> With user1@REALM2 and server@REALM1 the ksu fail:
>
>     ssh user1@server.domain from user1@REALM2 => ok
>     ssh user2@server.domain from user1@REALM2 => ok
>     user1@server.domain> ksu user2             => Server not found in
> Kerberos database
>
> Apparently in the second case ksu try to require a TGS in the form of
> server@REALM2 which doesn't exist indeed
>
> Any idea why ?
>
> krb5.conf:
>
> [libdefaults]
>     default_realm = REALM1
>     kdc_timesync = 1
>     ccache_type = 4
>     forwardable = true
>     proxiable = true
> [realms]
> REALM1 = {
>     kdc = ...
>     }
> REALM2 = {
>     kdc = ...
>     }
>
> [domain_realm]
>     domain = REALM1
>
> [capaths]
>         REALM1 = { REALM2 = . }
>         REALM2 = { REALM1 = . }
>
>


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post