Cross realm authentication between MTI and Heimdal
Tillman
tillman at seekingfire.com
Wed May 28 18:19:40 EDT 2003
Host Pluto is my MIT KDC. Host Pmax is a Heimdal KDC I'm trying to set
up a bi-drectional cross realm trust with.
I've read FAQ2.15, but I'm still running into problems. Here's what I
have so far:
On host Pluto:
kadmin.local: listprincs kr*
krbtgt/SEEKINGFIRE.PRV at SEEKINGFIRE.PRV
krbtgt/SEEKINGFIRE.PRV at SMITHCLAN.CA
krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV
On host Pmax:
kadmin> list krb*
krbtgt/SMITHCLAN.PRV at SMITHCLAN.PRV
krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV
krbtgt/SEEKINGFIRE.PRV at SMITHCLAN.PRV
My current set of tickets:
Default principal: tillman at SEEKINGFIRE.PRV
Valid starting Expires Service principal
05/27/03 09:00:12 06/24/03 09:00:12 krbtgt/SEEKINGFIRE.PRV at SEEKINGFIRE.PRV
05/27/03 09:00:16 06/24/03 09:00:12 host/athena.seekingfire.prv at SEEKINGFIRE.PRV
05/27/03 14:30:35 06/24/03 09:00:12 host/athena.seekingfire.prv at SEEKINGFIRE.PRV
05/27/03 15:05:38 06/24/03 09:00:12 host/blues.seekingfire.prv at SEEKINGFIRE.PRV
05/28/03 10:12:55 06/24/03 09:00:12 krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV
The result of a cross realm Kerberized telnet:
$ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca
Trying 192.168.8.2...
Connected to calvin.smithclan.ca (192.168.8.2).
Escape character is '^]'.
Waiting for encryption to be negotiated...
Authentication negotation has failed, which is required for
encryption. Good bye.
Roots .k5login on Calvin (an application server in SMITHCLAN.CA):
tillman at SMITHCLAN.PRV
tillman at SEEKINGFIRE.PRV
Internally, both realms work. It's just the connection from one to the
other via cross realm trust (and .k5login) that's failing.
I've tried Google for the "Authentication negotation has failed" string
but I'm not finding anything related to cross realm trusts. It appears
to be at least partially working - I have the cross realm TGT.
Is there anything obvious that I'm missing or doing wrong?
-T
--
Zen is the unsymbolization of the world.
R.H. Blyth
More information about the Kerberos
mailing list