kinit in cross domain and cross realm

Douglas E. Engert deengert at anl.gov
Mon Dec 15 08:44:11 EST 2003 


Vikas Gandhi wrote:
> 
> Hi
> Can someone guide me If I have a user account in ADSI called as sample
> and I want to run gssapi samples from Solaris 9 using it. I
> countinuously get this results "Server not found in Kerberos
> database". My belief is this that I am not able to generate the right
> keytab file.
> What should be my kinit
> 
> ktpass -princ sample/blade.qdms.co.in at QDMS.CO.IN -mapuser sample -pass
> sample -out blade.keytab
> 
> or
> ktpass -princ sample/blade.quark.co.in at QDMS.CO.IN -mapuser sample
> -pass sample -out blade.keytab (domain blade.quark.co.in)
> 
> or
> ktpass -princ sample/blade.quark.co.in at QDMS.CO.IN -mapuser sample
> -pass sample -out blade.keytab (domain blade.quark.co.in)
> 
> My details are given below.
>  WIN-OS: 2003 server
>  WIN-DOMAIN: QDMS.CO.IN
>  WIN-relam: QDMS.CO.IN
>  win-host-name: beetle.qdms.co.in
> 
>  SUN-OS: solaris 9
>  SEAM-DOMAIN: QUARK.CO.IN
>  win-host-name: blade.quark.co.in
>  seam-relam: QUARK.CO.IN
>  seam version: 1.01
> 
>  My /etc/hosts file says the following
>  X.X.X.X    blade.qdms.co.in blade.quark.co.in blade
>  X.X.X.X    beetle  beetle.qdms.co.in beetle.quark.co.in

The above will get you in trouble. Keep it simple for the test.
Each machine should be in only one domain, and  it looks like 
you want them to be in seperate realms. 


> 
>  My /etc/resolv.conf says
>  domain  quark.co.in
>  nameserver      X.X.X.X
>  nameserver      X.X.X.X
>  search quark.co.in qdms.co.in
> 
> My /etc/krb5/krb5.conf says
> [libdefaults]
>         default_realm = QDMS.CO.IN
> #        default_realm = QUARK.CO.IN
>         default_tgs_enctypes = des-cbc-crc
>         default_tkt_enctypes = des-cbc-crc
> #       dns_lookup_kdc=true
> #       dns_lookup_realm =true
> 
> [realms]
>                 QUARK.CO.IN= {
>                 kdc = blade.quark.co.in
>                 admin_server = blade.quark.co.in
>         }
>           QDMS.CO.IN= {
>                 kdc = beetle.qdms.co.in:88
>                 admin_server = beetle.qdms.co.in
>                 default_realm = QDMS.CO.IN
>         }
> [capaths]
>         QUARK.CO.IN = {
>                 QDMS.CO.IN = .
>         }
>         QDMS.CO.IN = {
>                 QUARK.CO.IN = .
>         }
> [domain_realm]
>         .quark.co.in= QDMS.CO.IN
>         .qdms.co.in= QDMS.CO.IN
> #
> # if the domain name and realm name are equivalent,
> # this entry is not needed
> #
> [logging]
>         default = FILE:/var/krb5/kdc.log
>         kdc = FILE:/var/krb5/kdc.log
>         kdc = SYSLOG:INFO:DAEMON
> 
> [appdefaults]
>     gkadmin = {
>         help_url = http://blade:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956
>         }
>         kinit = {
>                 forwardable = true
>        }
>         telnet  = {
>                 forward = true
>                 encrypt = true
>               encrypt = true
>                 autologin = true
>         }
> 
> FYI: I am able to kinit to the windows kdc and get a ticket. Next I
> have successfully run the sspi(windows Feb-2003 SDK) samples
> successfully using SEAM KDC and ADSI kdc. Also I am able to ru the
> GSSAPI samples with SEAM successfully.
> 
> Regards
> Vikas
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list