Problems with kadmind, kpasswd and cross-realm authentication
Anthony Brock
brocka at sterlingcgi.com
Tue Sep 4 19:02:50 EDT 2007
I have created several cross-realm trusts on a test server. At this point,
nearly everything is working properly. However, users are unable to change
their passwords unless their account is in the initial domain. Users see the
following when attempting it from the initial domain:
# kpasswd
Password for brocka at SCGROUP.ORG:
Enter new password:
Enter it again:
Password changed.
#
Unfortunately, following happens for additional domains:
# kpasswd
Password for brocka at STERLINGCGI.COM:
Enter new password:
Enter it again:
Authentication error: Failed reading application request
#
An strace of the kadmind daemon during a failed request shows the following:
Process 1123 attached - interrupt to quit
select(8, [6 7], NULL, NULL, {10, 890000}) = 0 (Timeout)
select(8, [6 7], NULL, NULL, {15, 0}) = 1 (in [7], left {12, 140000})
recvfrom(7, "\2\37\0\1\1\272n\202\1\2660\202\1\262\240\3\2\1\5\241\3"...,
1500, 0, {sa_family=AF_INET, sin_port=htons(2051),
sin_addr=inet_addr("10.0.1.7")}, [16]) = 543
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 10
connect(10, {sa_family=AF_INET, sin_port=htons(2051),
sin_addr=inet_addr("10.0.1.7")}, 16) = 0
time(NULL) = 1188946658
close(10) = 0
sendto(7, "\0\207\0\1\0\0~\1770}\240\3\2\1\5\241\3\2\1\36\244\21\30"...,
135, 0, {sa_family=AF_INET, sin_port=htons(2051),
sin_addr=inet_addr("10.0.1.7")}, 16) = 135
select(8, [6 7], NULL, NULL, {15, 0} <unfinished ...>
Process 1123 detached
Any ideas? What further information would assist in identifying the issue?
Has anyone else encountered this?
There doesn't seem to be much helpful documentation on cross-realm
authentication or how it should be setup. Thanks in advance!
Tony
More information about the Kerberos
mailing list