ksu / cross-realm

Benoit PLESSIS benoit.plessis at powerboutique.com
Thu Nov 7 04:55:00 EST 2019


Hi guys,

I'm having some unexpected difficulties with ksu in a multi-realm
environment.

With user1 at REALM1 and server.domain at REALM1 everything is working flawlessly:

    ssh user1 at server.domain from user1 at REALM1
    ssh user2 at server.domain from user1 at REALM1 (with appropriate .k5login)
    user1 at server.domain> ksu user2

With user1 at REALM2 and server at REALM1 the ksu fail:

    ssh user1 at server.domain from user1 at REALM2 => ok
    ssh user2 at server.domain from user1 at REALM2 => ok
    user1 at server.domain> ksu user2             => Server not found in
Kerberos database

Apparently in the second case ksu try to require a TGS in the form of
server at REALM2 which doesn't exist indeed

Any idea why ?

krb5.conf:

[libdefaults]
    default_realm = REALM1
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
[realms]
REALM1 = {
    kdc = ...
    }
REALM2 = {
    kdc = ...
    }

[domain_realm]
    domain = REALM1

[capaths]
        REALM1 = { REALM2 = . }
        REALM2 = { REALM1 = . }


-- 
Benoit




More information about the Kerberos mailing list