Solaris 9 Cross Realm Authentication Problems
Jeffrey Hutzelman
jhutz at cmu.edu
Sat Apr 2 16:46:24 EST 2005
On Friday, April 01, 2005 11:33:08 PM -0800 Darren Hoch
<darren.hoch at litemail.org> wrote:
> Hello All,
>
> Thanks Jeffery. I deleted the old krbtgt principals and added the
> following on each host:
>
> krbtgt/EXAMPLE.COM at EXAMPLE1.COM
> krbtgt/EXAMPLE1.COM at EXAMPLE.COM
>
> I am almost there. When user darren now tries to telnet (kerberized) from
> a host in realm EXAMPLE.COM to a host in EXAMPLE1.COM, the credentials
> and encryption are accepted, however, I am still prompted for a password
> for the user darren in realm EXAMPLE1.COM. Shoud I be prompted, or should
> I be able to do single sign on?
It sounds like now you are successfully authenticating to the telnet
server, and the authorization check is failing. This is not surprising,
since the default policy only allows you to log in as user 'foo' if you are
authenticated as the principal 'foo at LOCAL.REALM'. You can override the
local policy for a given user by giving that user a .k5login file listing
the principals who are allowed to log in as him. For example, you could
give 'darren' a .k5login file containing the following two lines:
darren at EXAMPLE.COM
darren at EXAMPLE1.COM
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list