Kerberos multi domain - Update

Tim Alsop Tim.Alsop at cybersafe.com
Sun Jan 3 05:35:38 EST 2010 

Flavien,

When you use kinit user_name at MSDEMO2 the keytab file is not used, unless you use -k option. Without -k a password is used to get the initial ticket, and with -k the key in the keytab is used instead of password entered by user.

It looks like there is a bug in the Kerberos library you are using, and it is causing this exception.

Thanks,
Tim

-----Original Message-----
From: BOUCHER, Flavien [mailto:flavien.a.boucher at sogeti.com] 
Sent: 03 January 2010 10:33
To: Tim Alsop; kerberos at mit.edu
Subject: RE: Kerberos multi domain - Update

Hi Tim,

when I try I obtain this result :

java.lang.ClassCastException: java.lang.NegativeArraySizeException incompatible with com.ibm.security.krb5.KrbException
        at com.ibm.security.krb5.g.a(g.java:78)
        at com.ibm.security.krb5.g.a(g.java:10)
        at com.ibm.security.krb5.internal.tools.Kinit.a(Kinit.java:126)
        at com.ibm.security.krb5.internal.tools.Kinit.<init>(Kinit.java:65)
        at com.ibm.security.krb5.internal.tools.Kinit.main(Kinit.java:150)
com.ibm.security.krb5.KrbException, code état : 0
        message : java.lang.ClassCastException: java.lang.NegativeArraySizeException incompatible with com.ibm.security.krb5.KrbException


Is it an issue with my keytab file ?

Regards.
Flavien.

-----Message d'origine-----
De : Tim Alsop [mailto:Tim.Alsop at cybersafe.com]
Envoyé : dimanche 3 janvier 2010 11:24
À : BOUCHER, Flavien; kerberos at mit.edu
Objet : RE: Kerberos multi domain - Update

Flavien,

Have you tried:

kinit user_name at MSDEMO2

Thanks,
Tim

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of BOUCHER, Flavien
Sent: 03 January 2010 09:01
To: kerberos at mit.edu
Subject: Re: Kerberos multi domain - Update

Hi,

thaks for your answer Edward. My two KDC have distinct IP @ and port.

I have done a test with KINIT. When I run 'KINIT -A user_name'  , the KINIT command build user_name at MSDEMO<mailto:user_name at MSDEMO>  , MSDEMO is the default_realm setup in my krb5.conf. How could I obtain user_name at MSDEMO2<mailto:user_name at MSDEMO2> except by changing default_realm in krb5.conf ?

Regards.

Flavien.



Date: Sat, 02 Jan 2010 15:10:56 +1300

From: Edward Murrell <edward at murrell.co.nz>

Subject: Re: Kerberos multi domain

To: "kerberos at mit.edu" <kerberos at mit.edu>

Message-ID: <1262398256.2052.29.camel at boyle>

Content-Type: text/plain; charset="UTF-8"

As far as I know, MIT kerberos can run multiple KDC's from the same machine, but each realm needs to have it's own IP or set of ports.

On Fri, 2010-01-01 at 13:19 +0100, BOUCHER, Flavien wrote:

> Hi,

>

> I need to setup kerberos for six distinct domain, there is no trust relationship between each domain.

> When I setup one domain by one, it's working.

>

> After testing each domain one by one, I merge the keytab file, and change the krb5.conf file:

>

> [libdefaults]

> default_realm = MSDEMO

> default_keytab_name =
> FILE:C:\Kerberos\lcserver01.keytab<file:C:/Kerberos/lcserver01.keytab>

> default_tkt_enctypes = rc4-hmac des-cbc-md5

> default_tgs_enctypes = rc4-hmac des-cbc-md5

> forwardable = true

> renewable = true

> noaddresses = true

> clockskew = 300

> [realms]

> MSDEMO = {

> kdc = dc.msdemo.local:88

> default_domain = dc.msdemo.local

> }

>

> MSDEMO2 = {

> kdc = dc2.msdemo2.local:88

> default_domain = msdemo2.local

> }

> [domain_realm]

> .msdemo.local = MSDEMO

> .msdemo2.local = MSDEMO2

>

>

> When I merge the keytab of this two domains and change the krb5.conf, just the authentication for MSDEMO is working.

> When I change the krb5.conf, and enter default_realm = MSDEMO2, the authentication is working for MSDEMO2.

>

> It's possible to make the authentication works for the both domain in the same time ?

>

> Regards.

>

> Flavien.

>

>

>

> ________________________________________________

> Kerberos mailing list Kerberos at mit.edu

> https://mailman.mit.edu/mailman/listinfo/kerberos


____________________________________________________________
Flavien Boucher / Sogeti / Paris France
Mob. : +33 (0) 6.07.72.60.67
www.sogeti.com<http://www.sogeti.com/>
Email : flavien.a.boucher at sogeti.com<mailto:flavien.a.boucher at sogeti.com>
6-8 rue Duret / 75016 Paris
Join the Collaborative Business Experience ____________________________________________________________
P
Please consider the environment and do not print this email unless absolutely necessary. Sogeti encourages environmental awareness.

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list