S4U2self cross realm?
Weijun Wang
weijun.wang at oracle.com
Sun Jul 29 22:41:38 EDT 2012
I'm trying S4U2self to impersonate a client in another realm and it does
not work. Here is my environment:
Realm K1: normal principal u1
Realm K2: normal principal u2
service host/host.k2, with
+ok_to_auth_as_delegate
allowed_to_delegate_to *
another service s2
Now, with default realm being K2
$ kinit -k host/host.k2
$ t_s4u u2 at K2 s2 at K2
works fine, but
$ t_s4u u1 at K1 s2 at K2
Protocol transition tests follow
-----------------------------------
gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code
may provide more information
gss_acquire_cred_impersonate_name: Server not found in Kerberos database
The log of K2 shows host/host.k2 first trying to get a cross-realm TGT
to K1:
Jul 30 10:30:25 960x krb5kdc[8117](info): TGS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: ISSUE: authtime 1343615413, etypes {rep=18 tkt=18
ses=18}, host/host.k2 at K2 for krbtgt/K1 at K2
and in K1's log, it shows
Jul 30 10:30:25 960x krb5kdc[8114](info): TGS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: UNKNOWN_SERVER: authtime 0, host/host.k2 at K2 for
host/host.k2 at K1, Server not found in Kerberos database
Both realms have correct [domain_realm] settings, and I have no idea why
the K1 KDC cannot return a referral ticket to K2.
Thanks
Weijun
More information about the Kerberos
mailing list