cross-realm authentication works only with .k5login
Andrea
acirulli at gmail.com
Mon Mar 17 09:57:00 EDT 2008
Hi all,
I just setted up a multi realm KDC on a linux machine.
The 2 REALMS are named SOLARIS and SOLARIS2.
I want to put a trust relationship between the two REALMS, so I did
the following on each KDC:
addprinc -pw krbtgt/SOLARIS2 krbtgt/SOLARIS2 at SOLARIS
addprinc -pw krbtgt/SOLARIS krbtgt/SOLARIS at SOLARIS2
In order to test cross realm authentication I tryed to single sign on
into a machine based on SOLARIS realm, with a ticket of SOLARIS2. The
SSO doesn't work, however if I run klist after trying SSO, it
yields:
[root at localhost ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: andrea at SOLARIS2
Valid starting Expires Service principal
03/17/08 04:09:13 03/17/08 15:49:13 krbtgt/SOLARIS2 at SOLARIS2
renew until 03/17/08 04:09:13
03/17/08 04:09:19 03/17/08 15:49:13 krbtgt/SOLARIS at SOLARIS2
renew until 03/17/08 04:09:13
03/17/08 04:09:19 03/17/08 15:49:13 host/andrea at SOLARIS
renew until 03/17/08 04:09:13
It seems that the cross realm authentication works, but the SSO no.
I can make the system successfully works inserting the .k5login file
into the home directory of the user who is attempting to SSO on the
machine with a ticket of SOLARIS2 REALM.
I want to ask to you:
Am I missing something on the configuration?
Is necessary to set up for each user on the system a .k5login?
Is it possible to avoid using the .k5login?
Thanks in advance!
best regards,
Andrea
More information about the Kerberos
mailing list