[4026] in Kerberos
cross realm (configuration question)
daemon@ATHENA.MIT.EDU (Kambiz Aghaiepour)
Wed Oct 12 15:12:42 1994
Date: Wed, 12 Oct 94 11:57:40 PDT
To: kerberos@MIT.EDU
Reply-To: kambiz@srv.PacBell.COM
From: Kambiz Aghaiepour <kxaghai@srv.PacBell.COM>
I have compiled and installed kerberos 5.4.2 using the default
configuration and am having a hard time authenticating to one of my
machines. Here is the scenario:
I would like to be able to rlogin to "foo.bar.com". I have a machine
called "kdc.pb.bar.com" running the krb5kdc daemon. "kdc" is the NIS
master for the domain "+pb.bar.com". It is also running in.named and
knows of both "foo.bar.com" and of its CNAME record as "foo.pb.bar.com".
"foo" does not set domainname but runs the resolve version of libc.so.*
(as created in the /usr/lib/shlib.etc directory).
Now, "kdc" is set up to be in the realm "PB.BAR.COM". I have created an
entry "host/foo.bar.com@PB.BAR.COM" in the krb5kdc database on the
machine "kdc", and placed it on "foo" as v5srvtab after xtracting using
admin/kdb5_edit. However, when I use the rlogin (from /krb5/bin) as
follows:
/krb5/bin/rlogin -x foo.bar.com
I get the following error message in the log files:
Oct 12 11:39:41 kdc.pb.bar.com krb5kdc[28408]: TGS_REQ: UNKNOWN_SERVER: authtime 781987030, host 666.666.666.666, kxaghai@PB.BAR.COM for host/foo@PB.BAR.COM, Server not found in Kerberos database
(I really don't have the above IP address, I changed it for this
example)
My krb.conf file reads:
---cut---
PB.BAR.COM
PB.BAR.COM kdc.pb.bar.com admin server
---cut---
and my krb.realms reads:
---cut---
FOO PB.BAR.COM
FOO.BAR.COM PB.BAR.COM
PB.BAR.COM PB.BAR.COM
.PB.BAR.COM PB.BAR.COM
.PB.BAR.COM. PB.BAR.COM
If I change the entry in the krb5kdc database to read host/foo instead
of host/foo.bar.com, then the ticket is granted, but "foo" complains
that the wrong principal is in the request for service:
Couldn't authenticate to server: Server rejected authentication (during sendauth exchange)
Server returned error code 60 (Generic error (see e-text))
Error text sent from server: Wrong principal in request
rlogin: kcmd to host foo.bar.com failed - Server rejected authentication (during sendauth exchange)
Any ideas what I need to do to set this up correctly? Thanks for any
assistence.
Kambiz
