openssh single-sing-on problem

Klavs Klavsen kl at vsen.dk
Fri Apr 29 04:36:52 EDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

on 04/28/05 15:23 Kevin Coffman wrote:
[SNIP]

> The client (auth01.example.dk) thinks that the (ssh) server
> (hostname?) is in a different realm (PROD.DK.EXAMPLE.NET) and is
> trying to get a cross-realm ticket. Check the [domain_realm]
> stanza of your /etc/krb5.conf file on the client and make sure that
> the ssh server's hostname maps to the correct realm (EXAMPLE.DK).

I checked the krb5.conf on server and client and they seem exactly
alike to me :(

the server (kdc) krb5.conf:
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = EXAMPLE.DK
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.DK = {
  kdc = auth01.telmore.dk:88
  admin_server = auth01.example.dk:749
  default_domain = example.dk
 }

[domain_realm]
 .example.dk = EXAMPLE.DK
 example.dk = EXAMPLE.DK

[kdc]

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

and on the client:
[libdefaults]
 default_tkt_enctypes = des-cbc-crc;  des-cbc-md5
 default_tgs_enctypes = des-cbc-crc; des-cbc-md5
 ticket_lifetime = 24000
 default_realm = EXAMPLE.DK
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.DK = {
  kdc = udp/auth01.example.dk:88
 }

[domain_realm]
 .example.dk = EXAMPLE.DK
 example.dk = EXAMPLE.DK

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

any obvious errors?

- --
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8  B8DA 3D3A 0B79 7E06 3C62

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCcfIkPToLeX4GPGIRAix7AJ9hodDh69jG6fHIs2EWEL3u4ZLlrwCeKB19
NUjb2T2QYRDmSoJuiTY6kRs=
=gIW9
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list