Cross-realm issue - what am I missing?

Douglas E. Engert deengert at anl.gov
Wed Apr 14 23:28:12 EDT 2004



"Inger, Slav (.)" wrote:
> 
> Hi all,
> 
> I tested cross-realm awhile back and it seemed to work fine, not sure why I'm running into issues now, maybe I'm forgetting something obvious.  Scenario:  KDC is Active Directory, clients are running Solaris and HP-UX with Kerberos and appropriate patches.  I tried going Sun to Sun and HP to HP, didn't get too far with either.  Two clients are in different realms, have good keytabs and good krb5.conf's (tried with and without [capaths] section).  The passwd entries for the user logging in from one realm to the other are identical on both clients (meaning the same user is doing cross-realm login).  The issue is with authorization, for some reason the destination machine is not authorizing the user from the source realm.  Works the same with and without .k5login file in user's home dir on the destination host.

Can you send output of kinit -f  as well as the .k5login file?

  [domain_realm] is set up correctly, with two DNS domains referencing their respective realms.  The user's cache shows 2 TGTs (for his own realm and one for cross-realm)!
>   and a host ticket, but he just can't log in.  Any idea what's going on here?  Thanks!

You say everything is setup correctly, but this may not be the case. Can you give some
more output?


> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list