Cross realm authentication between MTI and Heimdal

Tillman tillman at seekingfire.com
Wed May 28 18:19:40 EDT 2003


Host Pluto is my MIT KDC. Host Pmax is a Heimdal KDC I'm trying to set
up a bi-drectional cross realm trust with.

I've read FAQ2.15, but I'm still running into problems. Here's what I
have so far:

On host Pluto:
kadmin.local:  listprincs kr*
krbtgt/SEEKINGFIRE.PRV at SEEKINGFIRE.PRV
krbtgt/SEEKINGFIRE.PRV at SMITHCLAN.CA
krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV

On host Pmax:
kadmin> list krb*
  krbtgt/SMITHCLAN.PRV at SMITHCLAN.PRV
  krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV
  krbtgt/SEEKINGFIRE.PRV at SMITHCLAN.PRV

My current set of tickets:

Default principal: tillman at SEEKINGFIRE.PRV
Valid starting     Expires            Service principal
05/27/03 09:00:12  06/24/03 09:00:12  krbtgt/SEEKINGFIRE.PRV at SEEKINGFIRE.PRV
05/27/03 09:00:16  06/24/03 09:00:12  host/athena.seekingfire.prv at SEEKINGFIRE.PRV
05/27/03 14:30:35  06/24/03 09:00:12  host/athena.seekingfire.prv at SEEKINGFIRE.PRV
05/27/03 15:05:38  06/24/03 09:00:12  host/blues.seekingfire.prv at SEEKINGFIRE.PRV
05/28/03 10:12:55  06/24/03 09:00:12  krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV

The result of a cross realm Kerberized telnet:

$ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca
Trying 192.168.8.2...
Connected to calvin.smithclan.ca (192.168.8.2).
Escape character is '^]'.
Waiting for encryption to be negotiated...
Authentication negotation has failed, which is required for
encryption.  Good bye.

Roots .k5login on Calvin (an application server in SMITHCLAN.CA):

tillman at SMITHCLAN.PRV
tillman at SEEKINGFIRE.PRV


Internally, both realms work. It's just the connection from one to the
other via cross realm trust (and .k5login) that's failing.

I've tried Google for the "Authentication negotation has failed" string
but I'm not finding anything related to cross realm trusts. It appears
to be at least partially working - I have the cross realm TGT.

Is there anything obvious that I'm missing or doing wrong?

-T

-- 
Zen is the unsymbolization of the world.
	R.H. Blyth


More information about the Kerberos mailing list