S4U2self cross realm?

Weijun Wang weijun.wang at oracle.com
Sun Jul 29 22:41:38 EDT 2012


I'm trying S4U2self to impersonate a client in another realm and it does 
not work. Here is my environment:

Realm K1: normal principal u1
Realm K2: normal principal u2
           service host/host.k2, with
              +ok_to_auth_as_delegate
              allowed_to_delegate_to *
           another service s2

Now, with default realm being K2

    $ kinit -k host/host.k2
    $ t_s4u u2 at K2 s2 at K2

works fine, but

$ t_s4u u1 at K1 s2 at K2
Protocol transition tests follow
-----------------------------------

gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code 
may provide more information
gss_acquire_cred_impersonate_name: Server not found in Kerberos database


The log of K2 shows host/host.k2 first trying to get a cross-realm TGT 
to K1:

Jul 30 10:30:25 960x krb5kdc[8117](info): TGS_REQ (4 etypes {18 17 16 
23}) 127.0.0.1: ISSUE: authtime 1343615413, etypes {rep=18 tkt=18 
ses=18}, host/host.k2 at K2 for krbtgt/K1 at K2

and in K1's log, it shows

Jul 30 10:30:25 960x krb5kdc[8114](info): TGS_REQ (4 etypes {18 17 16 
23}) 127.0.0.1: UNKNOWN_SERVER: authtime 0,  host/host.k2 at K2 for 
host/host.k2 at K1, Server not found in Kerberos database

Both realms have correct [domain_realm] settings, and I have no idea why 
the K1 KDC cannot return a referral ticket to K2.

Thanks
Weijun


More information about the Kerberos mailing list