cross-realm authentication works only with .k5login

Andrea acirulli at gmail.com
Wed Mar 19 07:59:11 EDT 2008 

Hi, i inserted the regular expression as you suggested, and on that
machine (let's say this machine as MASTER) I can Single Sign On with
both REALMS.

However if  I use the same krb5.conf on an another machine (let's say
SLAVE) setting the realm SOLARIS2 as default I can't Single Sign On on
MASTER machine which is setted up for SOLARIS REALM as default. The
strange thing lies in the fact that if on the SLAVE i use as default
REALM SOLARIS then everything works fine, that is i can SSO with both
REALMS.

Any idea or suggestions?


The krb5.conf of the master is the following:
[libdefaults]
        default_realm =SOLARIS
        dns_lookup_kdc = false
        dns_fallback  =  false
# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        renewable = true
        forwardable = true
        proxiable = true

[realms]
        SOLARIS = {
                kdc = colcascms
                admin_server = colcascms
                auth_to_local = RULE:[1:$1@$0](.*@SOLARIS2$)s/@.*//
               auth_to_local = DEFAULT

        }
        SOLARIS2 = {
                kdc = colcascms
                admin_server = colcascms
        }


And the krb5.conf of the SLAVE is:


[libdefaults]
        default_realm =SOLARIS
        dns_lookup_kdc = false
        dns_fallback  =  false
# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        renewable = true
        forwardable = true
        proxiable = true


[realms]
        SOLARIS = {
                kdc = colcascms
                admin_server = colcascms
                auth_to_local = RULE:[1:$1@$0](.*@SOLARIS2$)s/@.*//
                auth_to_local = DEFAULT

        }
        SOLARIS2 = {
                kdc = colcascms
                admin_server = colcascms
                auth_to_local = RULE:[1:$1@$0](.*@SOLARIS$)s/@.*//
                auth_to_local = DEFAULT
        }


On 17 Mar, 21:44, "Markus Moeller" <hua... at moeller.plus.com> wrote:
> Hi Andrea,
>
> a user andrea at SOLARIS in not the same as a user andrea at SOLARIS2. You need to
> tell a server in domain SOLARIS that user andrea at SOLARIS2 is the same as
> andrea at SOLARIS by either using .k5login or use auth_to_local in krb5.conf
> e.g.
>
> ..
> [realms]
>        SOLARIS = {
>                kdc = ..
> #
> # map xxx at SOLARIS2 to local user xxx
> #
>                auth_to_local = RULE:[1:$1@$0](.*@SOLARIS2$)s/@.*//
>                auth_to_local = DEFAULT
>        }
> ..
>
> This means you trust both domains using unique ids.
>
> Markus
>
> "Andrea" <aciru... at gmail.com> wrote in message
>
> news:b66de008-26d7-48b7-9bc1-0f5e4756b71b at z38g2000hsc.googlegroups.com...
>
> > Hi all,
> > I just setted up a multi realm KDC on a linux machine.
> > The 2 REALMS are named SOLARIS and SOLARIS2.
> > I want to put a trust relationship between the two REALMS, so I did
> > the following on each KDC:
>
> > addprinc -pw krbtgt/SOLARIS2 krbtgt/SOLARIS2 at SOLARIS
> > addprinc -pw krbtgt/SOLARIS krbtgt/SOLARIS at SOLARIS2
>
> > In order to test cross realm authentication I tryed to single sign on
> > into a machine based on SOLARIS realm, with a ticket of SOLARIS2. The
> > SSO doesn't work, however if I run klist after trying   SSO, it
> > yields:
> > [root at localhost ~]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: andrea at SOLARIS2
>
> > Valid starting     Expires            Service principal
> > 03/17/08 04:09:13  03/17/08 15:49:13  krbtgt/SOLARIS2 at SOLARIS2
> >        renew until 03/17/08 04:09:13
> > 03/17/08 04:09:19  03/17/08 15:49:13  krbtgt/SOLARIS at SOLARIS2
> >        renew until 03/17/08 04:09:13
> > 03/17/08 04:09:19  03/17/08 15:49:13  host/andrea at SOLARIS
> >        renew until 03/17/08 04:09:13
>
> > It seems that the cross realm authentication works, but the SSO no.
>
> > I can make the system successfully works inserting the .k5login file
> > into the home directory of the user who is attempting to SSO on the
> > machine with a ticket of SOLARIS2 REALM.
>
> > I want to ask to you:
>
> > Am I missing something on the configuration?
> > Is necessary to set up for each user on the system a .k5login?
> > Is it possible to avoid using the .k5login?
>
> > Thanks in advance!
>
> > best regards,
> > Andrea
> > ________________________________________________
> > Kerberos mailing list           Kerbe... at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list