Cross realm authentication between MTI and Heimdal

Douglas E. Engert deengert at anl.gov
Thu May 29 10:34:11 EDT 2003 


Tillman wrote:
> 
> Host Pluto is my MIT KDC. Host Pmax is a Heimdal KDC I'm trying to set
> up a bi-drectional cross realm trust with.
> 
> I've read FAQ2.15, but I'm still running into problems. Here's what I
> have so far:
> 
> On host Pluto:
> kadmin.local:  listprincs kr*
> krbtgt/SEEKINGFIRE.PRV at SEEKINGFIRE.PRV
> krbtgt/SEEKINGFIRE.PRV at SMITHCLAN.CA

This looks wrong, as it appears the realm name should be SMITHCLAN.PRV,
not SMITHCLAN.CA


> krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV
> 
> On host Pmax:
> kadmin> list krb*
>   krbtgt/SMITHCLAN.PRV at SMITHCLAN.PRV
>   krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV
>   krbtgt/SEEKINGFIRE.PRV at SMITHCLAN.PRV
> 
> My current set of tickets:
> 
> Default principal: tillman at SEEKINGFIRE.PRV
> Valid starting     Expires            Service principal
> 05/27/03 09:00:12  06/24/03 09:00:12  krbtgt/SEEKINGFIRE.PRV at SEEKINGFIRE.PRV
> 05/27/03 09:00:16  06/24/03 09:00:12  host/athena.seekingfire.prv at SEEKINGFIRE.PRV
> 05/27/03 14:30:35  06/24/03 09:00:12  host/athena.seekingfire.prv at SEEKINGFIRE.PRV
> 05/27/03 15:05:38  06/24/03 09:00:12  host/blues.seekingfire.prv at SEEKINGFIRE.PRV
> 05/28/03 10:12:55  06/24/03 09:00:12  krbtgt/SMITHCLAN.PRV at SEEKINGFIRE.PRV
> 
> The result of a cross realm Kerberized telnet:
> 
> $ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca
> Trying 192.168.8.2...
> Connected to calvin.smithclan.ca (192.168.8.2).
> Escape character is '^]'.
> Waiting for encryption to be negotiated...
> Authentication negotation has failed, which is required for
> encryption.  Good bye.
> 
> Roots .k5login on Calvin (an application server in SMITHCLAN.CA):
> 
> tillman at SMITHCLAN.PRV
> tillman at SEEKINGFIRE.PRV
> 
> Internally, both realms work. It's just the connection from one to the
> other via cross realm trust (and .k5login) that's failing.
> 
> I've tried Google for the "Authentication negotation has failed" string
> but I'm not finding anything related to cross realm trusts. It appears
> to be at least partially working - I have the cross realm TGT.
> 
> Is there anything obvious that I'm missing or doing wrong?
> 
> -T
> 
> --
> Zen is the unsymbolization of the world.
>         R.H. Blyth
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list