Solaris 9 Cross Realm Authentication Problem
Darren Hoch
darren.hoch at litemail.org
Fri Apr 1 19:05:09 EST 2005
Hello All,
Problem:
New to the list and I am all googled out at this point. I am hoping this
list can help me get this to work. I am using Solaris 9 FCS and the stock
kerberos software. I am trying to setup direct cross-realm authentication
between 3 realms. I have successfully tested clients within the realms. I
can login, telnet (using Sun's add on kerberized telnet), and even use
fully kerberized NFS in each realm with the user darren. My goal is to
have the user darren telnet from a host in realm EXAMPLE.COM to a host in
realm EXAMPLE1.COM. I keep on getting authentication errors.
Am I missing something?
Thanks,
Darren
Background:
REALMS:
EXAMPLE.COM
EXAMPLE1.COM
EXAMPLE2.COM
Unix user and principal for "darren" exist in all 3 realms with same
passwd, shell, home directory.
Output:
horn.example1.com-> klist
Ticket cache: /tmp/krb5cc_100
Default principal: darren at EXAMPLE1.COM
Valid starting Expires Service
principal
Fri Apr 01 14:47:58 2005 Fri Apr 01 22:47:58 2005
krbtgt/EXAMPLE1.COM at EXAMPLE1.COM
Fri Apr 01 14:47:58 2005 Fri Apr 01 22:47:58 2005
host/horn.example1.com at EXAMPLE1.COM
horn.example1.com -> telnet -a -x server1.example.com
Trying 10.16.1.100...
Connected to server1 (10.16.1.100).
Escape character is '^]'.
Waiting for encryption to be negotiated...
Server refused to negotiation authentication, which is required
for encryption. Good bye.
Now, here are all my configs:
krb5.conf On host horn.example1.com (realm EXAMPLE1.COM):
[domain_realm]
lexus.example.com = EXAMPLE.COM #Master
server1.example.com = EXAMPLE.COM #Slave
mako.example.com = EXAMPLE.COM #Client
blue.example.com = EXAMPLE.COM #Client
horn.example1.com = EXAMPLE1.COM #MAster
houndnose.example1.com = EXAMPLE1.COM #slave
blacktip.example1.com = EXAMPLE1.COM #client
leopard.example1.com = EXAMPLE1.COM #client
whitetip.example2.com = EXAMPLE2.COM #master
thresher.example2.com = EXAMPLE2.COM #slave
sevengill.example2.com = EXAMPLE2.COM #client
[capaths]
EXAMPLE2.COM = { EXAMPLE1.COM = . }
EXAMPLE.COM = { EXAMPLE1.COM = . }
EXAMPLE1.COM = {
EXAMPLE2.COM = .
EXAMPLE.COM = .
}
Principals for realm EXAMPLE1.COM
kadmin: lisprincs
<snip>
krbtgt/example1.com at EXAMPLE2.COM
krbtgt/example2.com at EXAMPLE1.COM
krbtgt/example1.com at EXAMPLE.COM
<snip>
krb5.conf On host server1.example.com (realm EXAMPLE.COM):
[domain_realm]
lexus.example.com = EXAMPLE.COM
server1.example.com = EXAMPLE.COM
mako.example.com = EXAMPLE.COM
blue.example.com = EXAMPLE.COM
horn.example1.com = EXAMPLE1.COM
houndnose.example1.com = EXAMPLE1.COM
blacktip.example1.com = EXAMPLE1.COM
leopard.example1.com = EXAMPLE1.COM
whitetip.example2.com = EXAMPLE2.COM
thresher.example2.com = EXAMPLE2.COM
sevengill.example2.com = EXAMPLE2.COM
[capaths]
EXAMPLE.COM = { EXAMPLE1.COM = . }
EXAMPLE1.COM = { EXAMPLE.COM = . }
principals in realm EXAMPLE.COM
kadmin: listprincs
<snip>
krbtgt/example1.com at EXAMPLE.COM
krbtgt/example.com at EXAMPLE1.COM
<snip>
More information about the Kerberos
mailing list