cross-realm authentication problem

Bjoern Tore Sund bjorn.sund at it.uib.no
Thu May 28 10:46:22 EDT 2009 

I am trying to get cross-realm authentication to work between AD and our 
MIT Kerberos realm.  Windows client are in KLIENT.UIB.NO, Windows user 
accounts are in UIB.NO, Unix/Linux machines and accounts are in 
UNIX.UIB.NO.  User names in UIB.NO and UNIX.UIB.NO are the same.

KLIENT.UIB.NO and UIB.NO trust each other, UIB.NO and UNIX.UIB.NO have 
two-way trust enabled, transitive.

I have one web server running RHEL4, apache 2.0.52 and Kerberos 1.3.4 as 
provided by Redhat, self-compiled mod_auth_kerb 5.4, and another running 
RHEL5, apache 2.2.3 and Kerberos 1.6.1 as provided by Redhat, 
self-compiled mod_auth_kerb 5.4.  krb5.conf, .htaccess etc are identical 
on the two web servers, both have principals in UNIX.UIB.NO.

 From Unix/Linux machines with user authenticated in UNIX.UIB.NO Kerberos 
negotiation works fine.  After choosing UNIX.UIB.NO as authentication 
domain on a Windows machine Kerberos negotiation works fine.  After 
authenticating against UIB.NO on a Linux machine (which have UNIX.UIB.NO 
as primary realm in krb5.conf) cross-realm authentication works fine. 
But using a Windows machine where the user is authenticated in UIB.NO I 
get cross-realm authentication only to the web server running RHEL4, not 
the one running RHEL5, I never even get a ticket for UNIX.UIB.NO from AD 
when trying to access the RHEL5 server web page.  The only difference 
between the RHEL4 and RHEL5 server should be the Kerberos and Apache 
versions.


krb5.conf on the server looks like this:
===
[libdefaults]
  default_realm = UNIX.UIB.NO
  ticket_lifetime = 144h
  forwardable = yes
  proxiable = yes
  permitted_enctypes = des3-hmac-sha1 des-cbc-crc rc4-hmac des-cbc-md5
  default_tgs_enctypes = des-cbc-crc
  default_tkt_enctypes = des-cbc-crc
  dns_lookup_realm = true
  dns_lookup_kdc = true
  udp_preference_limit = 1

[realms]
  UNIX.UIB.NO = {
     auth_to_local = RULE:[1:$1@$0](.*@.*UIB.NO)s/@.*//
  }

[domain_realm]
  .uib.no = UNIX.UIB.NO
  uib.no = UNIX.UIB.NO

[kdc]
  profile = /var/kerberos/krb5kdc/kdc.conf

[capaths]
  UIB.NO = {
     UNIX.UIB.NO = .
  }

  UNIX.UIB.NO = {
     UIB.NO = .
  }

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 650000
    renew_lifetime = 650000
    forwardable = true
    proxiable = true
    krb4_convert = false
  }
===
I have spent a lot of time fiddling with capaths, to no avail.  My 
.htaccess on both servers looks like this:
===
   AuthType Kerberos
   AuthName "Kerberos Login "
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   KrbAuthRealms UNIX.UIB.NO
   KrbServiceName "HTTP"
   Krb5Keytab /etc/httpd/conf/radisson_http.keytab
   KrbLocalUserMapping on
   Require valid-user
===

Any ideas where I need to look to figure this one out?  It looks as if 
the RHEL5 server somehow fails to inform the windows client that it needs 
to get a TGT for UNIX.UIB.NO, but why then does the RHEL4 server provide 
this information?

-BT
-- 
Bjørn Tore Sund       Phone: 555-84894   Email:   bjorn.sund at it.uib.no
IT department         VIP:   81724       Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.

More information about the Kerberos mailing list