cross-realm authentication question

Russ Allbery rra at stanford.edu
Fri Apr 20 17:58:23 EDT 2007


Rohit Kumar Mehta <rohitm at engr.uconn.edu> writes:

> On my client (also running the same version of Ubuntu with libpam_krb5),
> I configured ssh for gssapi, and installed the keytab with the principal
> "host/cselin12.REALM1 at REALM".  I was able to "kinit rohitm at REALM2" and
> ssh to cselin12.REALM1 and login automatically when my default realm (in
> /etc/krb5.conf) was set to be REALM2.  However, if I set it to be
> REALM1, it did not work and I get prompted for a password.

Did you create a ~/.k5login file in the home directory of the user to
which you're trying to log in that lists the principal in the other realm?
If ~/.k5login exists, Kerberos will use that for authorization; if it
doesn't, it falls back on krb5_aname_to_localname, which will fail for
cross-realm principals.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list