Solaris 9 Cross Realm Authentication Problems

Darren Hoch darren.hoch at litemail.org
Sat Apr 2 02:33:08 EST 2005 

Hello All,

Thanks Jeffery. I deleted the old krbtgt principals and added the 
following on each host:

krbtgt/EXAMPLE.COM at EXAMPLE1.COM
krbtgt/EXAMPLE1.COM at EXAMPLE.COM

I am almost there. When user darren now tries to telnet (kerberized) 
from a host in realm EXAMPLE.COM to a host in EXAMPLE1.COM, the 
credentials and encryption are accepted, however, I am still prompted 
for a password for the user darren in realm EXAMPLE1.COM. Shoud I be 
prompted, or should I be able to do single sign on?

Thanks,
Darren

server1.example.com -> telnet -a -f -x horn.example1.com
Trying 10.16.1.21...
Connected to horn.example1.com (10.16.1.21).
Escape character is '^]'.
Waiting for encryption to be negotiated...[ Kerberos V5 accepts you as : 
:``darren at EXAMPLE.COM'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
Password for darren:
Last login: Fri Apr  1 22:58:31 on pts/2
Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
Welcome to Sol9_FCS on horn
horn.example1.com -> klist
Ticket cache: /tmp/krb5cc_100
Default principal: darren at EXAMPLE1.COM

Valid starting                       Expires                       
Service principal
Fri Apr 01 23:02:07 2005  Sat Apr 02 07:02:07 2005  
krbtgt/EXAMPLE1.COM at EXAMPLE1.COM


>
>> kadmin: lisprincs
>> <snip>
>> krbtgt/example1.com at EXAMPLE2.COM
>> krbtgt/example2.com at EXAMPLE1.COM
>> krbtgt/example1.com at EXAMPLE.COM
>
>
> The second components of each of these principal names must exactly 
> match the name of the realm involved, including case.  So, for 
> example, for a client in the EXAMPLE1.COM realm to authenticate to a 
> service in the EXAMPLE.COM realm, you need 
> krbtgt/EXAMPLE.COM at EXAMPLE1.COM to exist.  Of course, it needs to 
> exist in both realms and have the same key and kvno in both places.
>
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
>   Sr. Research Systems Programmer
>   School of Computer Science - Research Computing Facility
>   Carnegie Mellon University - Pittsburgh, PA
>

More information about the Kerberos mailing list