cross realm authentication problem
steve at terapak.com
Wed Apr 8 17:27:53 EDT 2009
Ok I am having a problem getting a service ticket from a different realm than my principal use is on.
Here is my setup:
Using KDC on AD for both realms. Each domain has a short-cut trust between each other. Let's call them X & Y.
When I get service ticket for the same realm it works fine: [mailto:service/host at X] service/host at X.
For cross realms I am seeing strange behavior at network level.
User from realm X asks for service ticket from realm Y: [mailto:service/host at Y] service/host at Y.
First I get back the cross realm TGT as in [mailto:tgt/Y at X] tgt/Y at X. Everything I have seen this is correct behavior.
When I see the TGS-REQ with that TGT I get the following error:
KRB5 KRB Error: KDC_ERR_WRONG_REALM
There is very little information related to this error but what I did find tells me that is will occur when the TGT is for the wrong realm that you are asking for a ticket from.
One thing I thought might wrong is that the TGT is from the X realm but it is for the Y realm but all conversations said this is correct behavior and that I should be able to use that krbtgt to get services from realm Y.
I have tried kfw versions 3.2.2 and version 2.6.5 and the behavior is the same.
I am quite confused.
More information about the krbdev