Cross realm authentication between MTI and Heimdal
Tillman
tillman at seekingfire.com
Wed May 28 18:30:46 EDT 2003
On Wed, May 28, 2003 at 04:19:40PM -0600, Tillman wrote:
> The result of a cross realm Kerberized telnet:
>
> $ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca
> Trying 192.168.8.2...
> Connected to calvin.smithclan.ca (192.168.8.2).
> Escape character is '^]'.
> Waiting for encryption to be negotiated...
> Authentication negotation has failed, which is required for
> encryption. Good bye.
Following up on my own post, here's a authdebug'ed telnet session:
$ telnet -x -l toor -k SMITHCLAN.CA
telnet> toggle authdebug
auth debugging enabled
telnet> open calvin.smithclan.ca
Trying 192.168.8.2...
Connected to calvin.smithclan.ca (192.168.8.2).
Escape character is '^]'.
>>>TELNET: I support auth type 2 6
>>>TELNET: I support auth type 2 2
>>>TELNET: I support auth type 2 0
>>>TELNET: I support auth type 1 2
>>>TELNET: I support auth type 1 0
Waiting for encryption to be negotiated...
>>>TELNET: auth_send got: 02 02 02 00 06 00
>>>TELNET: He supports 2
>>>TELNET: Trying 2 2
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos
database)
>>>TELNET: He supports 2
>>>TELNET: Trying 2 0
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos
database)
>>>TELNET: He supports 6
>>>TELNET: Sent failure message
Authentication negotation has failed, which is required for
encryption. Good bye.
Hopefully this helps diagnose things - the server no found seems odd,
because if it's talking about the host principal it definitely exists
(evidenced by the fact that when I have a ticket from the SMITHCLAN.CA
realm I can telnet -x to it normally).
The relevent sections of my krb5.conf look like this:
[realms]
SEEKINGFIRE.PRV = {
kdc = pluto.seekingfire.prv:88
admin_server = pluto.seekingfire.prv:749
default_domain = seekingfire.prv
}
SMITHCLAN.PRV = {
kdc = 192.168.8.49:88
default_domain = smithclan.ca
}
-T
--
"Surely the 4 sysadmins of the apocalypse should be:
edquota, rm -rf, kill -9, and shutdown."
- Rob Blake
More information about the Kerberos
mailing list