capath and transitivity
Fabrice Bacchella
fbacchella at spamcop.net
Thu Sep 1 05:49:52 EDT 2011
I'm trying to set up a transitive relationship between three kerberos realms, two of them being some AD domain and one a pure MIT server one.
I'm doing my test on a Scientific Linux 6.1, up to date.
In the krb5.conf, I have added :
[domain_realm]
d1 = R1
d2 = R2
d3 = R3
[realms]
R1 = {
kdc = kdc.d1
}
R2 = {
kdc = kdc.d2
}
R3 = {
kdc = kdc.d3
}
[capaths]
R1 = {
R3 = R2
R2 = R2
R1 = .
}
R2 = {
R3 = R3
R2 = .
R1 = R1
}
R3 = {
R1 = R2
R2 = R2
R3 = .
}
So I want R1 and R3 to trust each others through R2. R1 and R2 are on AD servers, R3 is on a MIT server.
There is the needed trust relationships bethween boot R1 to R2 and R2 to R3, with the needed krbtgt/R2 at R1 and krbtgt/R3 at R2.
But it fails, and for a very strang reason.
I'm doing a kinit user at R1, it's fine.
I'm doing ssh user at host.d3 on my SL6.1 host, it fails, and when I look the ticket request with wireshark, I seek the following queries :
on kdc.d1, a TGS_REQ for krbtgt/R3 at R1 that fails with KRB5KDC_ERR_S_PRINCIPAL_UKNOWN.
on kdc.d1, a TGS_REQ for krbtgt/R2 at R1, success
on kdc.d2, a TGS_REQ for krbtgt/R3 at R1, it fails with KDC_ERR_WRONG_REALM.
What's the point of a TGS for krbtgt/R3 at R1 on kdc.d2 ? I expected a TGS_REQ for krbtgt/R3 at R2.
I compiled t_walk_rtree and i'm getting :
$ ./t_walk_rtree R1 R3
krbtgt/R1 at R1
krbtgt/R2 at R1
krbtgt/R3 at R2
Did I miss something ? What is wrong with my setup ?
More information about the Kerberos
mailing list