cross-realm authentication works only with .k5login
Markus Moeller
huaraz at moeller.plus.com
Mon Mar 17 16:44:00 EDT 2008
Hi Andrea,
a user andrea at SOLARIS in not the same as a user andrea at SOLARIS2. You need to
tell a server in domain SOLARIS that user andrea at SOLARIS2 is the same as
andrea at SOLARIS by either using .k5login or use auth_to_local in krb5.conf
e.g.
..
[realms]
SOLARIS = {
kdc = ..
#
# map xxx at SOLARIS2 to local user xxx
#
auth_to_local = RULE:[1:$1@$0](.*@SOLARIS2$)s/@.*//
auth_to_local = DEFAULT
}
..
This means you trust both domains using unique ids.
Markus
"Andrea" <acirulli at gmail.com> wrote in message
news:b66de008-26d7-48b7-9bc1-0f5e4756b71b at z38g2000hsc.googlegroups.com...
> Hi all,
> I just setted up a multi realm KDC on a linux machine.
> The 2 REALMS are named SOLARIS and SOLARIS2.
> I want to put a trust relationship between the two REALMS, so I did
> the following on each KDC:
>
> addprinc -pw krbtgt/SOLARIS2 krbtgt/SOLARIS2 at SOLARIS
> addprinc -pw krbtgt/SOLARIS krbtgt/SOLARIS at SOLARIS2
>
> In order to test cross realm authentication I tryed to single sign on
> into a machine based on SOLARIS realm, with a ticket of SOLARIS2. The
> SSO doesn't work, however if I run klist after trying SSO, it
> yields:
> [root at localhost ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: andrea at SOLARIS2
>
> Valid starting Expires Service principal
> 03/17/08 04:09:13 03/17/08 15:49:13 krbtgt/SOLARIS2 at SOLARIS2
> renew until 03/17/08 04:09:13
> 03/17/08 04:09:19 03/17/08 15:49:13 krbtgt/SOLARIS at SOLARIS2
> renew until 03/17/08 04:09:13
> 03/17/08 04:09:19 03/17/08 15:49:13 host/andrea at SOLARIS
> renew until 03/17/08 04:09:13
>
> It seems that the cross realm authentication works, but the SSO no.
>
> I can make the system successfully works inserting the .k5login file
> into the home directory of the user who is attempting to SSO on the
> machine with a ticket of SOLARIS2 REALM.
>
> I want to ask to you:
>
> Am I missing something on the configuration?
> Is necessary to set up for each user on the system a .k5login?
> Is it possible to avoid using the .k5login?
>
> Thanks in advance!
>
> best regards,
> Andrea
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list