Solaris 9 Cross Realm Authentication Problems

Douglas E. Engert deengert at anl.gov
Mon Apr 4 10:08:50 EDT 2005 


Markus Moeller wrote:
> Has anybody tried to centralise the .k5login by storing this information in 
> ldap ?

Not, sure, but a good idea.  A related way to do this is to use
the auth_to_local = option in the [realms] secion of the krb5.conf

If all your users from one realm SAMPLE1.COM) are trusted as local
in realm (SAMPLE2.COM), then you could so something like:

[realms]
   SAMPLE1.COM = {
	kdc= ...
   }
   SAMPLE2.COM = {
	kdc = ...
	auth_to_local = RULE:[1:$1@$0](^.*@SAMPLE1.COM$)s/@SAMPLE1.COM//
	auth_to_local = default
   }

This tells sample2 servers to treat any User at SAMPLE1.COM principals
as User.


> 
> Thanks
> Markus
> 
> "Jeffrey Hutzelman" <jhutz at cmu.edu> wrote in message 
> news:7B1894BF811333D1C3B83881 at sirius.fac.cs.cmu.edu...
> 
>>
>>On Friday, April 01, 2005 11:33:08 PM -0800 Darren Hoch 
>><darren.hoch at litemail.org> wrote:
>>
>>
>>>Hello All,
>>>
>>>Thanks Jeffery. I deleted the old krbtgt principals and added the
>>>following on each host:
>>>
>>>krbtgt/EXAMPLE.COM at EXAMPLE1.COM
>>>krbtgt/EXAMPLE1.COM at EXAMPLE.COM
>>>
>>>I am almost there. When user darren now tries to telnet (kerberized) from
>>>a host in realm EXAMPLE.COM to a host in EXAMPLE1.COM, the credentials
>>>and encryption are accepted, however, I am still prompted for a password
>>>for the user darren in realm EXAMPLE1.COM. Shoud I be prompted, or should
>>>I be able to do single sign on?
>>
>>It sounds like now you are successfully authenticating to the telnet 
>>server, and the authorization check is failing.  This is not surprising, 
>>since the default policy only allows you to log in as user 'foo' if you 
>>are authenticated as the principal 'foo at LOCAL.REALM'.  You can override 
>>the local policy for a given user by giving that user a .k5login file 
>>listing the principals who are allowed to log in as him.  For example, you 
>>could give 'darren' a .k5login file containing the following two lines:
>>
>>darren at EXAMPLE.COM
>>darren at EXAMPLE1.COM
>>
>>
>>-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
>>  Sr. Research Systems Programmer
>>  School of Computer Science - Research Computing Facility
>>  Carnegie Mellon University - Pittsburgh, PA
>>
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list