Solaris 9 Cross Realm Authentication Problems

Markus Moeller huaraz at moeller.plus.com
Sun Apr 3 07:22:22 EDT 2005


Has anybody tried to centralise the .k5login by storing this information in 
ldap ?

Thanks
Markus

"Jeffrey Hutzelman" <jhutz at cmu.edu> wrote in message 
news:7B1894BF811333D1C3B83881 at sirius.fac.cs.cmu.edu...
>
>
> On Friday, April 01, 2005 11:33:08 PM -0800 Darren Hoch 
> <darren.hoch at litemail.org> wrote:
>
>> Hello All,
>>
>> Thanks Jeffery. I deleted the old krbtgt principals and added the
>> following on each host:
>>
>> krbtgt/EXAMPLE.COM at EXAMPLE1.COM
>> krbtgt/EXAMPLE1.COM at EXAMPLE.COM
>>
>> I am almost there. When user darren now tries to telnet (kerberized) from
>> a host in realm EXAMPLE.COM to a host in EXAMPLE1.COM, the credentials
>> and encryption are accepted, however, I am still prompted for a password
>> for the user darren in realm EXAMPLE1.COM. Shoud I be prompted, or should
>> I be able to do single sign on?
>
> It sounds like now you are successfully authenticating to the telnet 
> server, and the authorization check is failing.  This is not surprising, 
> since the default policy only allows you to log in as user 'foo' if you 
> are authenticated as the principal 'foo at LOCAL.REALM'.  You can override 
> the local policy for a given user by giving that user a .k5login file 
> listing the principals who are allowed to log in as him.  For example, you 
> could give 'darren' a .k5login file containing the following two lines:
>
> darren at EXAMPLE.COM
> darren at EXAMPLE1.COM
>
>
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
>   Sr. Research Systems Programmer
>   School of Computer Science - Research Computing Facility
>   Carnegie Mellon University - Pittsburgh, PA
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list