cross realm and capaths question
Markus Moeller
huaraz at moeller.plus.com
Sat Sep 29 09:30:26 EDT 2007
I have a setup with 4 DCs. 3 DC build a forest and the fourth hangs of one
of the sub domains.
TOP.COM
/ \
DOM1.TOP.COM DOM2.TOP.COM
/
TEST.HOME
There is full trust betweem TOP.COM and DOM1.TOP.COM and DOM2.TOP.COM.
TEST.HOME as only full trust to DOM1.TOP.COM.
I try to connect from a user in DOM2.TOP.COM to a system in TEST.HOME with
the following krb5.conf on DOM2.TOP.COM systems.
[domain_realm]
top.com = TOP.COM
.top.com = TOP.COM
dom1.top.com = DOM1.TOP.COM
.dom1.top.com = DOM1.TOP.COM
dom2.top.com = DOM2.TOP.COM
.dom2.top.com = DOM2.TOP.COM
test.home = TEST.HOME
.test.home = TEST.HOME
[capaths]
DOM2.TOP.COM = {
TEST.HOME = DOM1.TOP.COM
DOM1.TOP.COM = TOP.COM
TOP.COM = .
}
DOM1.TOP.COM = {
DOM2.TOP.COM = TOP.COM
TOP.COM = .
}
TEST.HOME = {
DOM2.TOP.COM = TOP.COM
TOP.COM = DOM1.TOP.COM
DOM1.TOP.COM = .
}
A walk tree test gives me:
#t_walk_rtree DOM1.TOP.COM TEST.HOME
krbtgt/DOM1.TOP.COM at DOM1.TOP.COM
krbtgt/TEST.HOME at DOM1.TOP.COM
#t_walk_rtree DOM2.TOP.COM TEST.HOME
krbtgt/DOM2.TOP.COM at DOM2.TOP.COM
krbtgt/DOM1.TOP.COM at DOM2.TOP.COM
krbtgt/DOM1.TOP.COM at DOM1.TOP.COM
krbtgt/TEST.HOME at DOM1.TOP.COM
But when I do a ldapsearch -H ldap://dc.test.home .... I get
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous
failure (KDC reply did not match expectations)
An ethereal shows a TGS-REQ of krbtgt/TEST.HOME going to the DOM2.TOP.COM
instead to DOM1.TOP.COM.
What is wrong inmy configuration ?
Thank you
Markus
More information about the Kerberos
mailing list