cross realm trust

Matthew B. Brookover mbrookov at mines.edu
Tue Aug 7 18:55:22 EDT 2007 

I am trying to get two realms to trust each other.  Both realms are in
the Mines.EDU domain.  The first realm is production systems and is
named MINES.EDU, the second realm is for development systems and named
DEVMINES.EDU.  The documentation that I have read only discusses the
case where there is one Kerberos realm per domain.  In this case I have
two Kerberos realms in one domain.

The client (merlin.Mines.EDU) is in the MINES.EDU realm and the server
(oneoften.Mines.EDU) is in the DEVMINES.EDU realm.  Both of the Kerberos
KDCs are running Kerberos 1.6.1 with the recent patches.  I am using
OpenSSH for testing, any host in MINES.EDU can ssh to any other host in
MINES.EDU and login without a password, and any host in DEVMINES.EDU can
ssh to any other host in DEVMINES.EDU and login without a password using
Kerberos to authenticate.

After some digging through the documentation, I learned that the domain
realm section of the krb5.conf file could be used to map either a host
or a domain name to a realm name.  After some tinkering, my client
(merlin.Mines.EDU) has a domain realm like this:

[domain_realm]
 oneoften.mines.edu = DEVMINES.EDU
 oneoften.Mines.EDU = DEVMINES.EDU
 oneoften = DEVMINES.EDU
 mines.edu = MINES.EDU
 .mines.edu = MINES.EDU
 Mines.EDU = MINES.EDU
 .Mines.EDU = MINES.EDU

And my server (oneoften.Mines.EDU) has this:

[domain_realm]
 merlin.mines.edu = MINES.EDU
 merlin.Mines.EDU = MINES.EDU
 merlin = MINES.EDU
 .Mines.EDU = DEVMINES.EDU
 Mines.EDU = DEVMINES.EDU
 .mines.edu = DEVMINES.EDU
 mines.edu = DEVMINES.EDU


My capaths section on merlin and oneoften look like this:

[capaths]
 MINES.EDU = {
   DEVMINES.EDU = MINES.EDU
 }
 
 DEVMINES.EDU = {
   MINES.EDU = DEVMINES.EDU
 }

When I ssh from Merlin to oneoften, the KDC in MINES.EDU logs this:

Aug 07 16:13:31 immortal.Mines.EDU krb5kdc[2719](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23 ses=18}, mbrookov at MINES.EDU for krbtgt/DEVMINES.EDU at MINES.EDU
Aug 07 16:13:31 immortal.Mines.EDU krb5kdc[2719](info): TGS_REQ (1 etypes {18}) 138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23 ses=18}, mbrookov at MINES.EDU for krbtgt/MINES.EDU at MINES.EDU


And the KDC for DEVMINES.EDU logs this:

Aug 07 16:13:31 sixoften.Mines.EDU krb5kdc[5385](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23 ses=18}, mbrookov at MINES.EDU for host/oneoften.mines.edu at DEVMINES.EDU


It looks to me like that Merlin goes to the kdc, in the MINES.EDU realm,
gets the krbtgt/DEVMINES.EDU at MINES.EDU ticket, then goes to the KDC for
the DEVMINES.EDU realm and gets the ticket for
host/oneoften.mines.edu at DEVMINES.EDU.  

But, ssh still asks for a password.


[mbrookov at merlin ~]$ kdestroy ; kinit ; klist -f
Password for mbrookov at MINES.EDU: 
Ticket cache: FILE:/tmp/krb5cc_5467_V9EjEj
Default principal: mbrookov at MINES.EDU

Valid starting     Expires            Service principal
08/07/07 16:13:10  08/08/07 07:13:10  krbtgt/MINES.EDU at MINES.EDU
        renew until 08/08/07 16:13:08, Flags: FRIA


Kerberos 4 ticket cache: /tmp/tkt5467
klist: You have no tickets cached
[mbrookov at merlin ~]$ ssh oneoften
mbrookov at oneoften's password: 
Permission denied, please try again.
mbrookov at oneoften's password: 
Permission denied, please try again.
mbrookov at oneoften's password: 
Received disconnect from 138.67.130.65: 2: Too many authentication failures for mbrookov
[mbrookov at merlin ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_5467_V9EjEj
Default principal: mbrookov at MINES.EDU

Valid starting     Expires            Service principal
08/07/07 16:13:10  08/08/07 07:13:10  krbtgt/MINES.EDU at MINES.EDU
        renew until 08/08/07 16:13:08, Flags: FRIA
08/07/07 16:13:31  08/08/07 07:13:10  krbtgt/DEVMINES.EDU at MINES.EDU
        renew until 08/08/07 16:13:08, Flags: FRAT
08/07/07 16:13:31  08/08/07 07:13:10  host/oneoften.mines.edu at DEVMINES.EDU
        renew until 08/08/07 16:13:08, Flags: FRAT


Kerberos 4 ticket cache: /tmp/tkt5467
klist: You have no tickets cached
[mbrookov at merlin ~]$ 

I have never set up a cross realm relationship between two realms, but
the logs and the tickets on the client look correct to me.

I have double checked the password for the krbtgt/DEVMINES.EDU at MINES.EDU
principals in both realms and am sure they match. Just in case I set up
the krbtgt/MINES.EDU at DEVMINES.EDU principals in both realms.  All 4
principals used to set up the cross realm trust have the same key
version number, passwords, etc.

The realms section of /etc/krb5.conf has both the MINES.EDU realm and
the DEVMINES.EDU realm.

Merlin is running Fedora 7 with all of the patches and Oneoften is
running Red Hat Enterprise Linux 4 update 5 with all of the patches.

I have ran out of straws to grasp at.  Does any body have any ideas?

thank you

Matt
mbrookov at mines.edu

More information about the Kerberos mailing list