Cross realm authentication between MTI and Heimdal
Douglas E. Engert
deengert at anl.gov
Thu May 29 10:34:11 EDT 2003
Tillman wrote:
>
> Host Pluto is my MIT KDC. Host Pmax is a Heimdal KDC I'm trying to set
> up a bi-drectional cross realm trust with.
>
> I've read FAQ2.15, but I'm still running into problems. Here's what I
> have so far:
>
> On host Pluto:
> kadmin.local: listprincs kr*
> krbtgt/SEEKINGFIRE.PRV at SEEKINGFIRE.PRV
> krbtgt/SEEKINGFIRE.PRV at SMITHCLAN.CA
This looks wrong, as it appears the realm name should be SMITHCLAN.PRV,
not SMITHCLAN.CA
> krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV
>
> On host Pmax:
> kadmin> list krb*
> krbtgt/SMITHCLAN.PRV at SMITHCLAN.PRV
> krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV
> krbtgt/SEEKINGFIRE.PRV at SMITHCLAN.PRV
>
> My current set of tickets:
>
> Default principal: tillman at SEEKINGFIRE.PRV
> Valid starting Expires Service principal
> 05/27/03 09:00:12 06/24/03 09:00:12 krbtgt/SEEKINGFIRE.PRV at SEEKINGFIRE.PRV
> 05/27/03 09:00:16 06/24/03 09:00:12 host/athena.seekingfire.prv at SEEKINGFIRE.PRV
> 05/27/03 14:30:35 06/24/03 09:00:12 host/athena.seekingfire.prv at SEEKINGFIRE.PRV
> 05/27/03 15:05:38 06/24/03 09:00:12 host/blues.seekingfire.prv at SEEKINGFIRE.PRV
> 05/28/03 10:12:55 06/24/03 09:00:12 krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV
>
> The result of a cross realm Kerberized telnet:
>
> $ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca
> Trying 192.168.8.2...
> Connected to calvin.smithclan.ca (192.168.8.2).
> Escape character is '^]'.
> Waiting for encryption to be negotiated...
> Authentication negotation has failed, which is required for
> encryption. Good bye.
>
> Roots .k5login on Calvin (an application server in SMITHCLAN.CA):
>
> tillman at SMITHCLAN.PRV
> tillman at SEEKINGFIRE.PRV
>
> Internally, both realms work. It's just the connection from one to the
> other via cross realm trust (and .k5login) that's failing.
>
> I've tried Google for the "Authentication negotation has failed" string
> but I'm not finding anything related to cross realm trusts. It appears
> to be at least partially working - I have the cross realm TGT.
>
> Is there anything obvious that I'm missing or doing wrong?
>
> -T
>
> --
> Zen is the unsymbolization of the world.
> R.H. Blyth
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list