cross realm trust

Douglas E. Engert deengert at anl.gov
Wed Aug 8 09:32:02 EDT 2007


All of this looks correct, but look at these two things:

the ~/.k5login file of the user on oneoften.mines.edu. If the user
is in one realm, and the server in the other, you need either the
~/.k5login listing the users allowed to use this unix account.

What is the default_realm in the server's krb.conf?

You can also to some testing by starting a seperate sshd:
  sshd -p 2222 -ddd   then on the client use
  ssh -p 2222 -vvv oneoften.mines.edu

Matthew B. Brookover wrote:
> I am trying to get two realms to trust each other.  Both realms are in
> the Mines.EDU domain.  The first realm is production systems and is
> named MINES.EDU, the second realm is for development systems and named
> DEVMINES.EDU.  The documentation that I have read only discusses the
> case where there is one Kerberos realm per domain.  In this case I have
> two Kerberos realms in one domain.
> 
> The client (merlin.Mines.EDU) is in the MINES.EDU realm and the server
> (oneoften.Mines.EDU) is in the DEVMINES.EDU realm.  Both of the Kerberos
> KDCs are running Kerberos 1.6.1 with the recent patches.  I am using
> OpenSSH for testing, any host in MINES.EDU can ssh to any other host in
> MINES.EDU and login without a password, and any host in DEVMINES.EDU can
> ssh to any other host in DEVMINES.EDU and login without a password using
> Kerberos to authenticate.
> 
> After some digging through the documentation, I learned that the domain
> realm section of the krb5.conf file could be used to map either a host
> or a domain name to a realm name.  After some tinkering, my client
> (merlin.Mines.EDU) has a domain realm like this:
> 
> [domain_realm]
>  oneoften.mines.edu = DEVMINES.EDU
>  oneoften.Mines.EDU = DEVMINES.EDU
>  oneoften = DEVMINES.EDU
>  mines.edu = MINES.EDU
>  .mines.edu = MINES.EDU
>  Mines.EDU = MINES.EDU
>  .Mines.EDU = MINES.EDU
> 
> And my server (oneoften.Mines.EDU) has this:
> 
> [domain_realm]
>  merlin.mines.edu = MINES.EDU
>  merlin.Mines.EDU = MINES.EDU
>  merlin = MINES.EDU
>  .Mines.EDU = DEVMINES.EDU
>  Mines.EDU = DEVMINES.EDU
>  .mines.edu = DEVMINES.EDU
>  mines.edu = DEVMINES.EDU
> 
> 
> My capaths section on merlin and oneoften look like this:
> 
> [capaths]
>  MINES.EDU = {
>    DEVMINES.EDU = MINES.EDU
>  }
>  
>  DEVMINES.EDU = {
>    MINES.EDU = DEVMINES.EDU
>  }
> 
> When I ssh from Merlin to oneoften, the KDC in MINES.EDU logs this:
> 
> Aug 07 16:13:31 immortal.Mines.EDU krb5kdc[2719](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23 ses=18}, mbrookov at MINES.EDU for krbtgt/DEVMINES.EDU at MINES.EDU
> Aug 07 16:13:31 immortal.Mines.EDU krb5kdc[2719](info): TGS_REQ (1 etypes {18}) 138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23 ses=18}, mbrookov at MINES.EDU for krbtgt/MINES.EDU at MINES.EDU
> 
> 
> And the KDC for DEVMINES.EDU logs this:
> 
> Aug 07 16:13:31 sixoften.Mines.EDU krb5kdc[5385](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23 ses=18}, mbrookov at MINES.EDU for host/oneoften.mines.edu at DEVMINES.EDU
> 
> 
> It looks to me like that Merlin goes to the kdc, in the MINES.EDU realm,
> gets the krbtgt/DEVMINES.EDU at MINES.EDU ticket, then goes to the KDC for
> the DEVMINES.EDU realm and gets the ticket for
> host/oneoften.mines.edu at DEVMINES.EDU.  
> 
> But, ssh still asks for a password.
> 
> 
> [mbrookov at merlin ~]$ kdestroy ; kinit ; klist -f
> Password for mbrookov at MINES.EDU: 
> Ticket cache: FILE:/tmp/krb5cc_5467_V9EjEj
> Default principal: mbrookov at MINES.EDU
> 
> Valid starting     Expires            Service principal
> 08/07/07 16:13:10  08/08/07 07:13:10  krbtgt/MINES.EDU at MINES.EDU
>         renew until 08/08/07 16:13:08, Flags: FRIA
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt5467
> klist: You have no tickets cached
> [mbrookov at merlin ~]$ ssh oneoften
> mbrookov at oneoften's password: 
> Permission denied, please try again.
> mbrookov at oneoften's password: 
> Permission denied, please try again.
> mbrookov at oneoften's password: 
> Received disconnect from 138.67.130.65: 2: Too many authentication failures for mbrookov
> [mbrookov at merlin ~]$ klist -f
> Ticket cache: FILE:/tmp/krb5cc_5467_V9EjEj
> Default principal: mbrookov at MINES.EDU
> 
> Valid starting     Expires            Service principal
> 08/07/07 16:13:10  08/08/07 07:13:10  krbtgt/MINES.EDU at MINES.EDU
>         renew until 08/08/07 16:13:08, Flags: FRIA
> 08/07/07 16:13:31  08/08/07 07:13:10  krbtgt/DEVMINES.EDU at MINES.EDU
>         renew until 08/08/07 16:13:08, Flags: FRAT
> 08/07/07 16:13:31  08/08/07 07:13:10  host/oneoften.mines.edu at DEVMINES.EDU
>         renew until 08/08/07 16:13:08, Flags: FRAT
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt5467
> klist: You have no tickets cached
> [mbrookov at merlin ~]$ 
> 
> I have never set up a cross realm relationship between two realms, but
> the logs and the tickets on the client look correct to me.
> 
> I have double checked the password for the krbtgt/DEVMINES.EDU at MINES.EDU
> principals in both realms and am sure they match. Just in case I set up
> the krbtgt/MINES.EDU at DEVMINES.EDU principals in both realms.  All 4
> principals used to set up the cross realm trust have the same key
> version number, passwords, etc.
> 
> The realms section of /etc/krb5.conf has both the MINES.EDU realm and
> the DEVMINES.EDU realm.
> 
> Merlin is running Fedora 7 with all of the patches and Oneoften is
> running Red Hat Enterprise Linux 4 update 5 with all of the patches.
> 
> I have ran out of straws to grasp at.  Does any body have any ideas?
> 
> thank you
> 
> Matt
> mbrookov at mines.edu
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list