cross realm trusts ..
Matt Bryant
matthew.bryant at melbourneit.com.au
Thu Nov 28 16:53:45 EST 2013
Hmm a thought but checking the configs the legacy realm is using
supported_enctypes = des3-cbc-sha1:normal des3-cbc-raw:normal
and added both the cross realm keys to both KDCs with a single
explicitly defined enctype ...
ie
add_princ -e des3-cbc-sha1:normal -pw XXXX krbtgt/REALM1 at REALM2
rgds
Matt B.
On 29/11/13 07:29, Dennis Davis wrote:
> On Fri, 29 Nov 2013, Matt Bryant wrote:
>
>> From: Matt Bryant <matthew.bryant at melbourneit.com.au>
>> To: undisclosed-recipients: ;
>> Cc: kerberos at mit.edu
>> Date: Thu, 28 Nov 2013 20:36:03
>> Subject: Re: cross realm trusts ..
>>
>> Have done that and yes can see all of those tickets .... mine, the
>> TGT for cross realm auth and the host ticket in the other realm ..
>> Now at this point got to say the old realm/kdc is on el4 and of
>> course th eipa is on el6
>> is there any reason the version disparity 1.3 v 1.10 is causing issues
> Wild guess: Incompatible encryption types?
>
> See:
>
> http://web.mit.edu/kerberos/krb5-1.10/
>
> which includes:
>
> DES transition
>
> The Data Encryption Standard (DES) is widely recognized as
> weak. The krb5-1.7 release contains measures to encourage sites to
> migrate away from using single-DES cryptosystems. Among these is
> a configuration variable that enables "weak" enctypes, which now
> defaults to "false" beginning with krb5-1.8.
>
> Kerberos 1.3 will be happy with what are now regarded as weak
> encryption types.
>
> Also note the manual page for kdc.conf on later versions of Kerberos
> includes:
>
> While aes128-cts and aes256-cts are supported for all Kerberos
> operations, they are not supported by very old versions of our
> GSSAPI implementation (krb5-1.3.1 and earlier). Services running
> versions of krb5 without AES support must not be given AES keys in
> the KDC database.
More information about the Kerberos
mailing list