Cross-realm issue - what am I missing?

[Jeffrey Altman]

Inger, Slav (.) wrote:
> Hi all,
> 
> I tested cross-realm awhile back and it seemed to work fine, not sure why I'm running into issues now, maybe I'm forgetting something obvious.  Scenario:  KDC is Active Directory, clients are running Solaris and HP-UX with Kerberos and appropriate patches.  I tried going Sun to Sun and HP to HP, didn't get too far with either.  Two clients are in different realms, have good keytabs and good krb5.conf's (tried with and without [capaths] section).  The passwd entries for the user logging in from one realm to the other are identical on both clients (meaning the same user is doing cross-realm login).  The issue is with authorization, for some reason the destination machine is not authorizing the user from the source realm.  Works the same with and without .k5login file in user's home dir on the destination host.  [domain_realm] is set up correctly, with two DNS domains referencing their respective realms.  The user's cache shows 2 TGTs (for his own realm and one for cross-real
m)!
>   and a host ticket, but he just can't log in.  Any idea what's going on here?  Thanks!
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


Cross-realm implies two different KDCs one for each realm which
are configured to issue tickets for one another.  You have
described one KDC (Active Directory).  Could you please
correct the description of your problem.