Define SPN for multi domain
BOUCHER, Flavien
flavien.a.boucher at sogeti.com
Mon Jan 4 13:52:08 EST 2010
Hi,
I have a new question regarding the setup of kerberos.
In each domain I need to run a ktpass command to create Key file and SPN on the user
In each domain for the SPN I use HTTP/myserver.ad.net at DOMAIN1.COM , I just change the value of DOMAIN. This is correct or should I also change the value of myserver.ad.net ? because when I will merge the key file I will have all the entry with HTTP/myserver.ad.net.
Thanks for your help
Regards.
Flavien.
-----Message d'origine-----
De : Tim Alsop [mailto:Tim.Alsop at CyberSafe.com]
Envoyé : dimanche 3 janvier 2010 12:27
À : BOUCHER, Flavien
Objet : RE: Kerberos multi domain - Update
If you are not using -k then keytab (e.g ktpass) are not involved. If something wrong with key in keytab (caused by ktpass issue) then this should not cause an exception/dump
Tim
-----Original Message-----
From: BOUCHER, Flavien [mailto:flavien.a.boucher at sogeti.com]
Sent: 03 January 2010 11:26
To: Tim Alsop
Subject: RE: Kerberos multi domain - Update
One more quetsion :) , do you think this issue could come from my ktpass ? I receive a warning on the ptype when I run the ktpass command.
Flavien.
-----Message d'origine-----
De : Tim Alsop [mailto:Tim.Alsop at CyberSafe.com] Envoyé : dimanche 3 janvier 2010 12:20 À : BOUCHER, Flavien Objet : RE: Kerberos multi domain - Update
If both realms are configured, then they should both work, and obviously only one of them can be configured as the default. You should be able to get tickets from any realm configured and the software should not crash/dump.
Tim
-----Original Message-----
From: BOUCHER, Flavien [mailto:flavien.a.boucher at sogeti.com]
Sent: 03 January 2010 11:18
To: Tim Alsop
Subject: RE: Kerberos multi domain - Update
Thanks for your help.
I think the issue come from my krb5.conf or my websphere server, because I am just able to make kerberos with the domain in default_realm value.
Regards.
FLavien.
-----Message d'origine-----
De : Tim Alsop [mailto:Tim.Alsop at CyberSafe.com] Envoyé : dimanche 3 janvier 2010 11:46 À : BOUCHER, Flavien Objet : RE: Kerberos multi domain - Update
Flavien,
I don't know. Sorry. You need to talk to IBM.
My company develops and sells commercially supported cross platform implementations of Kerberos protocol and associated standards, and we don't use open source code. I am more familiar with our own code than I am with open source implementations. For Java we use a JNI so that the amount of actual Java code is reduced and performance is increased, and the features provided to Java apps are same as to non Java apps. The Java implementation of Kerberos is well known for being out dated and not very feature rich and having many bugs.
Thanks,
Tim
-----Original Message-----
From: BOUCHER, Flavien [mailto:flavien.a.boucher at sogeti.com]
Sent: 03 January 2010 10:42
To: Tim Alsop
Subject: RE: Kerberos multi domain - Update
Ok, thanks.
Do you know where I can download / upgrade this kerberos library ?
For your information I am using the websphere tool (Kinit, ktab, klist) provide by IBM in the java SDK 1.5 I will check on IBm site if there is some bug in this library.
Thanks for your help.
Regards.
Flavien.
-----Message d'origine-----
De : Tim Alsop [mailto:Tim.Alsop at CyberSafe.com] Envoyé : dimanche 3 janvier 2010 11:36 À : BOUCHER, Flavien; kerberos at mit.edu Objet : RE: Kerberos multi domain - Update
Flavien,
When you use kinit user_name at MSDEMO2 the keytab file is not used, unless you use -k option. Without -k a password is used to get the initial ticket, and with -k the key in the keytab is used instead of password entered by user.
It looks like there is a bug in the Kerberos library you are using, and it is causing this exception.
Thanks,
Tim
-----Original Message-----
From: BOUCHER, Flavien [mailto:flavien.a.boucher at sogeti.com]
Sent: 03 January 2010 10:33
To: Tim Alsop; kerberos at mit.edu
Subject: RE: Kerberos multi domain - Update
Hi Tim,
when I try I obtain this result :
java.lang.ClassCastException: java.lang.NegativeArraySizeException incompatible with com.ibm.security.krb5.KrbException
at com.ibm.security.krb5.g.a(g.java:78)
at com.ibm.security.krb5.g.a(g.java:10)
at com.ibm.security.krb5.internal.tools.Kinit.a(Kinit.java:126)
at com.ibm.security.krb5.internal.tools.Kinit.<init>(Kinit.java:65)
at com.ibm.security.krb5.internal.tools.Kinit.main(Kinit.java:150)
com.ibm.security.krb5.KrbException, code état : 0
message : java.lang.ClassCastException: java.lang.NegativeArraySizeException incompatible with com.ibm.security.krb5.KrbException
Is it an issue with my keytab file ?
Regards.
Flavien.
-----Message d'origine-----
De : Tim Alsop [mailto:Tim.Alsop at cybersafe.com] Envoyé : dimanche 3 janvier 2010 11:24 À : BOUCHER, Flavien; kerberos at mit.edu Objet : RE: Kerberos multi domain - Update
Flavien,
Have you tried:
kinit user_name at MSDEMO2
Thanks,
Tim
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of BOUCHER, Flavien
Sent: 03 January 2010 09:01
To: kerberos at mit.edu
Subject: Re: Kerberos multi domain - Update
Hi,
thaks for your answer Edward. My two KDC have distinct IP @ and port.
I have done a test with KINIT. When I run 'KINIT -A user_name' , the KINIT command build user_name at MSDEMO<mailto:user_name at MSDEMO> , MSDEMO is the default_realm setup in my krb5.conf. How could I obtain user_name at MSDEMO2<mailto:user_name at MSDEMO2> except by changing default_realm in krb5.conf ?
Regards.
Flavien.
Date: Sat, 02 Jan 2010 15:10:56 +1300
From: Edward Murrell <edward at murrell.co.nz>
Subject: Re: Kerberos multi domain
To: "kerberos at mit.edu" <kerberos at mit.edu>
Message-ID: <1262398256.2052.29.camel at boyle>
Content-Type: text/plain; charset="UTF-8"
As far as I know, MIT kerberos can run multiple KDC's from the same machine, but each realm needs to have it's own IP or set of ports.
On Fri, 2010-01-01 at 13:19 +0100, BOUCHER, Flavien wrote:
> Hi,
>
> I need to setup kerberos for six distinct domain, there is no trust relationship between each domain.
> When I setup one domain by one, it's working.
>
> After testing each domain one by one, I merge the keytab file, and change the krb5.conf file:
>
> [libdefaults]
> default_realm = MSDEMO
> default_keytab_name =
> FILE:C:\Kerberos\lcserver01.keytab<file:C:/Kerberos/lcserver01.keytab>
> default_tkt_enctypes = rc4-hmac des-cbc-md5
> default_tgs_enctypes = rc4-hmac des-cbc-md5
> forwardable = true
> renewable = true
> noaddresses = true
> clockskew = 300
> [realms]
> MSDEMO = {
> kdc = dc.msdemo.local:88
> default_domain = dc.msdemo.local
> }
>
> MSDEMO2 = {
> kdc = dc2.msdemo2.local:88
> default_domain = msdemo2.local
> }
> [domain_realm]
> .msdemo.local = MSDEMO
> .msdemo2.local = MSDEMO2
>
>
> When I merge the keytab of this two domains and change the krb5.conf, just the authentication for MSDEMO is working.
> When I change the krb5.conf, and enter default_realm = MSDEMO2, the authentication is working for MSDEMO2.
>
> It's possible to make the authentication works for the both domain in the same time ?
>
> Regards.
>
> Flavien.
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
____________________________________________________________
Flavien Boucher / Sogeti / Paris France
Mob. : +33 (0) 6.07.72.60.67
www.sogeti.com<http://www.sogeti.com/>
Email : flavien.a.boucher at sogeti.com<mailto:flavien.a.boucher at sogeti.com>
6-8 rue Duret / 75016 Paris
Join the Collaborative Business Experience ____________________________________________________________
P
Please consider the environment and do not print this email unless absolutely necessary. Sogeti encourages environmental awareness.
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list