ksu / cross-realm
Benoit PLESSIS
benoit.plessis at powerboutique.com
Thu Nov 7 04:55:00 EST 2019
Hi guys,
I'm having some unexpected difficulties with ksu in a multi-realm
environment.
With user1 at REALM1 and server.domain at REALM1 everything is working flawlessly:
ssh user1 at server.domain from user1 at REALM1
ssh user2 at server.domain from user1 at REALM1 (with appropriate .k5login)
user1 at server.domain> ksu user2
With user1 at REALM2 and server at REALM1 the ksu fail:
ssh user1 at server.domain from user1 at REALM2 => ok
ssh user2 at server.domain from user1 at REALM2 => ok
user1 at server.domain> ksu user2 => Server not found in
Kerberos database
Apparently in the second case ksu try to require a TGS in the form of
server at REALM2 which doesn't exist indeed
Any idea why ?
krb5.conf:
[libdefaults]
default_realm = REALM1
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
REALM1 = {
kdc = ...
}
REALM2 = {
kdc = ...
}
[domain_realm]
domain = REALM1
[capaths]
REALM1 = { REALM2 = . }
REALM2 = { REALM1 = . }
--
Benoit
More information about the Kerberos
mailing list