Cross realm authentication between MTI and Heimdal

Douglas E. Engert deengert at anl.gov
Thu May 29 10:38:36 EDT 2003 


Tillman wrote:
> 
> On Wed, May 28, 2003 at 04:19:40PM -0600, Tillman wrote:
> > The result of a cross realm Kerberized telnet:
> >
> > $ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca

The realm name looks wrong, see previous note, and see below.

> > Trying 192.168.8.2...
> > Connected to calvin.smithclan.ca (192.168.8.2).
> > Escape character is '^]'.
> > Waiting for encryption to be negotiated...
> > Authentication negotation has failed, which is required for
> > encryption.  Good bye.
> 
> Following up on my own post, here's a authdebug'ed telnet session:
> 
> $ telnet -x -l toor -k SMITHCLAN.CA
> telnet> toggle authdebug
> auth debugging enabled
> telnet> open calvin.smithclan.ca
> Trying 192.168.8.2...
> Connected to calvin.smithclan.ca (192.168.8.2).
> Escape character is '^]'.
> >>>TELNET: I support auth type 2 6
> >>>TELNET: I support auth type 2 2
> >>>TELNET: I support auth type 2 0
> >>>TELNET: I support auth type 1 2
> >>>TELNET: I support auth type 1 0
> Waiting for encryption to be negotiated...
> >>>TELNET: auth_send got: 02 02 02 00 06 00
> >>>TELNET: He supports 2
> >>>TELNET: Trying 2 2
> telnet: Kerberos V5: failure on credentials(Server not found in Kerberos
> database)
> >>>TELNET: He supports 2
> >>>TELNET: Trying 2 0
> telnet: Kerberos V5: failure on credentials(Server not found in Kerberos
> database)
> >>>TELNET: He supports 6
> >>>TELNET: Sent failure message
> 
> Authentication negotation has failed, which is required for
> encryption.  Good bye.
> 
> Hopefully this helps diagnose things - the server no found seems odd,
> because if it's talking about the host principal it definitely exists
> (evidenced by the fact that when I have a ticket from the SMITHCLAN.CA
> realm I can telnet -x to it normally).
> 
> The relevent sections of my krb5.conf look like this:
> 
> [realms]
>  SEEKINGFIRE.PRV = {
>   kdc = pluto.seekingfire.prv:88
>   admin_server = pluto.seekingfire.prv:749
>   default_domain = seekingfire.prv
>  }
>  SMITHCLAN.PRV = {
>   kdc = 192.168.8.49:88
>   default_domain = smithclan.ca
>  }
> 

You might want to this so you dont have to use the -k option
to specify the dns domain to realm mappings. 


[domain_realm]
   .smithclan.ca = SMITHCLAN.PRV
   .seekingfire.com = SEEKINGFIRE.PRV


> -T
> 
> --
> "Surely the 4 sysadmins of the apocalypse should be:
>  edquota, rm -rf, kill -9, and shutdown."
>         - Rob Blake
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list