cross-realm authentication works only with .k5login

Markus Moeller huaraz at moeller.plus.com
Mon Mar 17 16:44:00 EDT 2008 

Hi Andrea,

a user andrea at SOLARIS in not the same as a user andrea at SOLARIS2. You need to 
tell a server in domain SOLARIS that user andrea at SOLARIS2 is the same as 
andrea at SOLARIS by either using .k5login or use auth_to_local in krb5.conf 
e.g.

..
[realms]
       SOLARIS = {
               kdc = ..
#
# map xxx at SOLARIS2 to local user xxx
#
               auth_to_local = RULE:[1:$1@$0](.*@SOLARIS2$)s/@.*//
               auth_to_local = DEFAULT
       }
..

This means you trust both domains using unique ids.

Markus


"Andrea" <acirulli at gmail.com> wrote in message 
news:b66de008-26d7-48b7-9bc1-0f5e4756b71b at z38g2000hsc.googlegroups.com...
> Hi all,
> I just setted up a multi realm KDC on a linux machine.
> The 2 REALMS are named SOLARIS and SOLARIS2.
> I want to put a trust relationship between the two REALMS, so I did
> the following on each KDC:
>
> addprinc -pw krbtgt/SOLARIS2 krbtgt/SOLARIS2 at SOLARIS
> addprinc -pw krbtgt/SOLARIS krbtgt/SOLARIS at SOLARIS2
>
> In order to test cross realm authentication I tryed to single sign on
> into a machine based on SOLARIS realm, with a ticket of SOLARIS2. The
> SSO doesn't work, however if I run klist after trying   SSO, it
> yields:
> [root at localhost ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: andrea at SOLARIS2
>
> Valid starting     Expires            Service principal
> 03/17/08 04:09:13  03/17/08 15:49:13  krbtgt/SOLARIS2 at SOLARIS2
>        renew until 03/17/08 04:09:13
> 03/17/08 04:09:19  03/17/08 15:49:13  krbtgt/SOLARIS at SOLARIS2
>        renew until 03/17/08 04:09:13
> 03/17/08 04:09:19  03/17/08 15:49:13  host/andrea at SOLARIS
>        renew until 03/17/08 04:09:13
>
> It seems that the cross realm authentication works, but the SSO no.
>
> I can make the system successfully works inserting the .k5login file
> into the home directory of the user who is attempting to SSO on the
> machine with a ticket of SOLARIS2 REALM.
>
> I want to ask to you:
>
> Am I missing something on the configuration?
> Is necessary to set up for each user on the system a .k5login?
> Is it possible to avoid using the .k5login?
>
> Thanks in advance!
>
> best regards,
> Andrea
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list