Cross realm authentication between MTI and Heimdal

Tillman tillman at seekingfire.com
Wed May 28 18:30:46 EDT 2003 

On Wed, May 28, 2003 at 04:19:40PM -0600, Tillman wrote:
> The result of a cross realm Kerberized telnet:
> 
> $ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca
> Trying 192.168.8.2...
> Connected to calvin.smithclan.ca (192.168.8.2).
> Escape character is '^]'.
> Waiting for encryption to be negotiated...
> Authentication negotation has failed, which is required for
> encryption.  Good bye.

Following up on my own post, here's a authdebug'ed telnet session:

$ telnet -x -l toor -k SMITHCLAN.CA
telnet> toggle authdebug
auth debugging enabled
telnet> open calvin.smithclan.ca
Trying 192.168.8.2...
Connected to calvin.smithclan.ca (192.168.8.2).
Escape character is '^]'.
>>>TELNET: I support auth type 2 6
>>>TELNET: I support auth type 2 2
>>>TELNET: I support auth type 2 0
>>>TELNET: I support auth type 1 2
>>>TELNET: I support auth type 1 0
Waiting for encryption to be negotiated...
>>>TELNET: auth_send got: 02 02 02 00 06 00
>>>TELNET: He supports 2
>>>TELNET: Trying 2 2
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos
database)
>>>TELNET: He supports 2
>>>TELNET: Trying 2 0
telnet: Kerberos V5: failure on credentials(Server not found in Kerberos
database)
>>>TELNET: He supports 6
>>>TELNET: Sent failure message

Authentication negotation has failed, which is required for
encryption.  Good bye.

Hopefully this helps diagnose things - the server no found seems odd,
because if it's talking about the host principal it definitely exists
(evidenced by the fact that when I have a ticket from the SMITHCLAN.CA
realm I can telnet -x to it normally).

The relevent sections of my krb5.conf look like this:

[realms]
 SEEKINGFIRE.PRV = {
  kdc = pluto.seekingfire.prv:88
  admin_server = pluto.seekingfire.prv:749
  default_domain = seekingfire.prv
 }
 SMITHCLAN.PRV = {
  kdc = 192.168.8.49:88
  default_domain = smithclan.ca
 }


-T

-- 
"Surely the 4 sysadmins of the apocalypse should be:
 edquota, rm -rf, kill -9, and shutdown."
	- Rob Blake

More information about the Kerberos mailing list