Cross realm authentication between MTI and Heimdal
Douglas E. Engert
deengert at anl.gov
Thu May 29 10:38:36 EDT 2003
Tillman wrote:
>
> On Wed, May 28, 2003 at 04:19:40PM -0600, Tillman wrote:
> > The result of a cross realm Kerberized telnet:
> >
> > $ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca
The realm name looks wrong, see previous note, and see below.
> > Trying 192.168.8.2...
> > Connected to calvin.smithclan.ca (192.168.8.2).
> > Escape character is '^]'.
> > Waiting for encryption to be negotiated...
> > Authentication negotation has failed, which is required for
> > encryption. Good bye.
>
> Following up on my own post, here's a authdebug'ed telnet session:
>
> $ telnet -x -l toor -k SMITHCLAN.CA
> telnet> toggle authdebug
> auth debugging enabled
> telnet> open calvin.smithclan.ca
> Trying 192.168.8.2...
> Connected to calvin.smithclan.ca (192.168.8.2).
> Escape character is '^]'.
> >>>TELNET: I support auth type 2 6
> >>>TELNET: I support auth type 2 2
> >>>TELNET: I support auth type 2 0
> >>>TELNET: I support auth type 1 2
> >>>TELNET: I support auth type 1 0
> Waiting for encryption to be negotiated...
> >>>TELNET: auth_send got: 02 02 02 00 06 00
> >>>TELNET: He supports 2
> >>>TELNET: Trying 2 2
> telnet: Kerberos V5: failure on credentials(Server not found in Kerberos
> database)
> >>>TELNET: He supports 2
> >>>TELNET: Trying 2 0
> telnet: Kerberos V5: failure on credentials(Server not found in Kerberos
> database)
> >>>TELNET: He supports 6
> >>>TELNET: Sent failure message
>
> Authentication negotation has failed, which is required for
> encryption. Good bye.
>
> Hopefully this helps diagnose things - the server no found seems odd,
> because if it's talking about the host principal it definitely exists
> (evidenced by the fact that when I have a ticket from the SMITHCLAN.CA
> realm I can telnet -x to it normally).
>
> The relevent sections of my krb5.conf look like this:
>
> [realms]
> SEEKINGFIRE.PRV = {
> kdc = pluto.seekingfire.prv:88
> admin_server = pluto.seekingfire.prv:749
> default_domain = seekingfire.prv
> }
> SMITHCLAN.PRV = {
> kdc = 192.168.8.49:88
> default_domain = smithclan.ca
> }
>
You might want to this so you dont have to use the -k option
to specify the dns domain to realm mappings.
[domain_realm]
.smithclan.ca = SMITHCLAN.PRV
.seekingfire.com = SEEKINGFIRE.PRV
> -T
>
> --
> "Surely the 4 sysadmins of the apocalypse should be:
> edquota, rm -rf, kill -9, and shutdown."
> - Rob Blake
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list