cross-realm authentication question
Russ Allbery
rra at stanford.edu
Fri Apr 20 17:58:23 EDT 2007
Rohit Kumar Mehta <rohitm at engr.uconn.edu> writes:
> On my client (also running the same version of Ubuntu with libpam_krb5),
> I configured ssh for gssapi, and installed the keytab with the principal
> "host/cselin12.REALM1 at REALM". I was able to "kinit rohitm at REALM2" and
> ssh to cselin12.REALM1 and login automatically when my default realm (in
> /etc/krb5.conf) was set to be REALM2. However, if I set it to be
> REALM1, it did not work and I get prompted for a password.
Did you create a ~/.k5login file in the home directory of the user to
which you're trying to log in that lists the principal in the other realm?
If ~/.k5login exists, Kerberos will use that for authorization; if it
doesn't, it falls back on krb5_aname_to_localname, which will fail for
cross-realm principals.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list