Cross-realm authentication (Win2k - SEAM)

Philippe Perrin philippeperrin at yahoo.com
Sun Feb 10 05:50:01 EST 2002


Hi !

I've come across a little problem, while trying to authenticate on a Windows
2000 KDC for using Solaris SEAM services with a trust relationship. Here are
the two realms :
1) KERBYKB.LOCAL is the W2k domain. It trusts and is trusted by the other
one : THOTKB
2) THOTKB is a SEAM realm.

Here is what I can do on a client :
- "kinit <user>" works with KERBYKB.LOCAL : I get a
krbtgt/KERBYKB.LOCAL at KERBYKB.LOCAL ticket (type = des-cbc-crc), given by the
W2k KDC
- then I want a TGT for the other realm : "kgetcred
krbtgt/THOTKB at KERBYKB.LOCAL" works : I get a krbtgt/THOTKB at KERBYKB.LOCAL
ticket (etype: des-cbc-crc) given by the W2k KDC
- lastly, I ask for a service ticket of the second realm (from the SEAM KDC)
: "kgetcred host/thot.mds at THOTKB" does NOT work, the server says (both in
its logs and on the client's console) "KDC has no support for checksum type"

All my krb5.conf and kdc.conf files ask for des-cbc-crc. What did I do wrong
? Where could the problem come from ?

Thank you !

Philippe Perrin






More information about the Kerberos mailing list