Solaris 9 Cross Realm Authentication Problems

Darren Hoch webmaster at litemail.org
Fri Apr 1 22:23:37 EST 2005 

Hello All,

Problem:

New to the list and I am all googled out at this point. I am hoping this
list can help me get this to work. I am using Solaris 9 FCS and the stock
kerberos software. I am trying to setup direct cross-realm authentication
between 3 realms. I have successfully tested clients within the realms. I
can login, telnet (using Sun's add on kerberized telnet), and even use
fully kerberized NFS in each realm with the user darren.  My goal is to
have the user darren telnet from a host in realm EXAMPLE.COM to a host in
realm EXAMPLE1.COM. I keep on getting authentication errors.

Am I missing something?

Thanks,

Darren

Background:

REALMS:
EXAMPLE.COM
EXAMPLE1.COM
EXAMPLE2.COM

Unix user and principal for "darren" exist in all 3 realms with same
passwd, shell, home directory.

Output:

horn.example1.com-> klist
Ticket cache: /tmp/krb5cc_100
Default principal: darren at EXAMPLE1.COM

Valid starting                       Expires                       Service
principal
Fri Apr 01 14:47:58 2005  Fri Apr 01 22:47:58 2005
krbtgt/EXAMPLE1.COM at EXAMPLE1.COM
Fri Apr 01 14:47:58 2005  Fri Apr 01 22:47:58 2005
host/horn.example1.com at EXAMPLE1.COM
horn.example1.com -> telnet -a -x server1.example.com
Trying 10.16.1.100...
Connected to server1 (10.16.1.100).
Escape character is '^]'.
Waiting for encryption to be negotiated...
Server refused to negotiation authentication, which is required
for encryption.  Good bye.

Now, here are all my configs:

krb5.conf On host horn.example1.com (realm EXAMPLE1.COM):

[domain_realm]
        lexus.example.com = EXAMPLE.COM     #Master
        server1.example.com = EXAMPLE.COM #Slave
        mako.example.com = EXAMPLE.COM     #Client
        blue.example.com = EXAMPLE.COM     #Client
        horn.example1.com = EXAMPLE1.COM #MAster
        houndnose.example1.com = EXAMPLE1.COM #slave
        blacktip.example1.com = EXAMPLE1.COM   #client
        leopard.example1.com = EXAMPLE1.COM #client
        whitetip.example2.com = EXAMPLE2.COM   #master
        thresher.example2.com = EXAMPLE2.COM #slave
        sevengill.example2.com = EXAMPLE2.COM #client


[capaths]
        EXAMPLE2.COM = { EXAMPLE1.COM = . }
        EXAMPLE.COM = { EXAMPLE1.COM = . }
        EXAMPLE1.COM = {
                        EXAMPLE2.COM = .
                        EXAMPLE.COM = .
                        }

Principals for realm EXAMPLE1.COM

kadmin: lisprincs
<snip>
krbtgt/example1.com at EXAMPLE2.COM
krbtgt/example2.com at EXAMPLE1.COM
krbtgt/example1.com at EXAMPLE.COM
<snip>


krb5.conf On host server1.example.com (realm EXAMPLE.COM):

[domain_realm]
        lexus.example.com = EXAMPLE.COM
        server1.example.com = EXAMPLE.COM
        mako.example.com = EXAMPLE.COM
        blue.example.com = EXAMPLE.COM
        horn.example1.com = EXAMPLE1.COM
        houndnose.example1.com = EXAMPLE1.COM
        blacktip.example1.com = EXAMPLE1.COM
        leopard.example1.com = EXAMPLE1.COM
        whitetip.example2.com = EXAMPLE2.COM
        thresher.example2.com = EXAMPLE2.COM
        sevengill.example2.com = EXAMPLE2.COM
[capaths]
        EXAMPLE.COM = { EXAMPLE1.COM = . }
        EXAMPLE1.COM = { EXAMPLE.COM = . }

principals in realm EXAMPLE.COM

kadmin: listprincs
<snip>
krbtgt/example1.com at EXAMPLE.COM
krbtgt/example.com at EXAMPLE1.COM
<snip>

More information about the Kerberos mailing list