On Tue, Apr 12, 2016 at 06:56:51PM -0700, Vivek Shrivastava wrote: > Hi, > > > I am trying to setup cross domain trust between FreeIPA and MIT Kerberos. I > have already created krbtgt in the both FreeIPA and MIT Kerberos. I can > successfully get Kerberos ticket from the both domains.However when I try
Which kind of tickets did you try, only TGTs or services tickets as well? Have you tried kinit [email protected] kvno server/[email protected] i.e. to get a service ticket from TEST2.COM for a user from TEST.COM? I'm asking because the error below "error Message is Integrity check on decrypted field failed" looks a bit like the shared key in the cross-realm TGTs (krbtgt/[email protected] and krbtgt/[email protected]) are not the same. HTH bye, Sumit > to access Hadoop using the FreeIPA domain then I get this error in trace > log. Wondering what is missing? > > > Service ticket not found in the subject > > >>> Realm doInitialParse: cRealm=[TEST.COM], sRealm=[TEST2.COM] > > >>> Realm parseCapaths: no cfg entry > > >>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/ > [email protected] > > Using builtin default etypes for default_tgs_enctypes > > default etypes for default_tgs_enctypes: 18 17 16 23 1 3. > > >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType > > >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType > > getKDCFromDNS using UDP > > >>> KrbKdcReq send: kdc=test2company.com. UDP:88, timeout=30000, number of > retries =3, #bytes=701 > > >>> KDCCommunication: kdc=test2company.com. UDP:88, timeout=30000,Attempt > =1, #bytes=701 > > >>> KrbKdcReq send: #bytes read=637 > > >>> KdcAccessibility: remove test2company.com.:88 > > >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType > > >>> Credentials acquireServiceCreds: global OK-AS-DELEGATE turned off at > krbtgt/[email protected] > > >>> Credentials acquireServiceCreds: got tgt > > >>> Credentials acquireServiceCreds: got right tgt > > >>> Credentials acquireServiceCreds: obtaining service creds for nn/ > [email protected] > > Using builtin default etypes for default_tgs_enctypes > > default etypes for default_tgs_enctypes: 18 17 16 23 1 3. > > >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType > > >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType > > >>> KrbKdcReq send: kdc=testcompany.com UDP:88, timeout=30000, number of > retries =3, #bytes=662 > > >>> KDCCommunication: kdc=testcompany.com UDP:88, timeout=30000,Attempt =1, > #bytes=662 > > >>> KrbKdcReq send: #bytes read=150 > > >>> KdcAccessibility: remove testcompany.com > > >>> KDCRep: init() encoding tag is 126 req type is 13 > > >>>KRBError: > > cTime is Sun Jun 01 13:55:49 EDT 1975 170877349000 > > sTime is Sat Apr 09 15:01:16 EDT 2016 1460228476000 > > suSec is 693381 > > error code is 31 > > error Message is Integrity check on decrypted field failed > > realm is TEST2.COM > > sname is nn/testcompany.com > > msgType is 30 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
