Cross Realm MIT <-> Windows Close But No Cigar

Christopher D. Clausen cclausen at acm.org
Thu May 3 21:31:55 EDT 2007 

Michael B Allen <mba2000 at ioplex.com> wrote:
> On Thu, 3 May 2007 23:33:29 +0100
> "Markus Moeller" <huaraz at moeller.plus.com> wrote:
>
>> What does sshd -ddde show when you connect ?  Do you use a .k5login
>> or auth_to_local ?
>
> Hi Markus,
>
> I'm not familiar with .k5login or auth_to_local. The only thing I
> changed in sshd_config was I turned of UsePAM.

Kerberos only handles authentication.  You need something for 
authorization.  By default, the kerberos libraries will match principals 
in the local default realm to local users. (principal == local user 
name.)  cclausen at DEFAULT.REALM can login as cclausen. 
cclausen at FOREIGN.REALM cannot login without authorization.

> I actually think the trust is valid. I've been trying it with my HTTP
> SSO code and the GSS calls are definitely succeeding. It's something
> that happends after the auth (e.g. RC4 salting or session key
> problem).

Setting up a trust does NOT automatically grant authorization for the 
foreign realm.  Try creating a ~/.k5login file in the home directory of 
the user you are logging in as listing authorized Kerberos principals, 
one per line.

(AD.UIUC.EDU is a Windows AD domain.  ILLIGAL.UIUC.EDU is a MIT realm.)

For instance:
C:\>klist
Ticket cache: API:cclausen at AD.UIUC.EDU
Default principal: cclausen at AD.UIUC.EDU
Valid starting     Expires            Service principal
05/03/07 20:26:36  05/04/07 06:26:36  krbtgt/AD.UIUC.EDU at AD.UIUC.EDU
C:\>putty ial.illigal.uiuc.edu
C:\>klist
Ticket cache: API:cclausen at AD.UIUC.EDU
Default principal: cclausen at AD.UIUC.EDU
Valid starting     Expires            Service principal
05/03/07 20:26:36  05/04/07 06:26:36  krbtgt/AD.UIUC.EDU at AD.UIUC.EDU
05/03/07 20:26:36  05/04/07 06:26:36 
krbtgt/ILLIGAL.UIUC.EDU at AD.UIUC.EDU
05/03/07 20:26:58  05/04/07 06:26:36 
host/ial.illigal.uiuc.edu at ILLIGAL.UIUC.EDU

On the remote system:
cclausen at ial:~$ cat .k5login
cclausen at ILLIGAL.UIUC.EDU
cclausen at AD.UIUC.EDU
cclausen at ial:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_L30429
Default principal: cclausen at AD.UIUC.EDU
Valid starting     Expires            Service principal
05/03/07 20:26:58  05/04/07 06:26:36  krbtgt/AD.UIUC.EDU at AD.UIUC.EDU
cclausen at ial:~$ cat /etc/krb5.conf | grep default
[libdefaults]
        default_realm = ILLIGAL.UIUC.EDU
cclausen at ial:~$

<<CDC

More information about the Kerberos mailing list