Hallo everybody, Could you please point stupid me to the right piece of documentation?
I've build Kerberos realm, where KDC is MS AD, servers are OpenSSH and OpenLDAP on Solaris 8, clients are on Solaris and Cygwin. I have used GSSAPI implementation from Heimdal and MIT with equal success - everything worked just perfectly! Now for some odd reasons I have to build pure UNIX realm and to establish one-way trust, where UNIX realm trusts AD, and users once logged into the AD realm, should be able also to logged into the UNIX realm. I have tried both Heimdal 0.6.4 and MIT 1.4.1 as UNIX realm, and in both cases I have the same result with OpenSSH: 1) assuming that AD realm is called A, and UNIX realm is called B, client obtains TGT for realm A. 2) trying to ssh into realm B client gets ticket krbtgt/[EMAIL PROTECTED] 3) client gets ticket host/[EMAIL PROTECTED] and at this moment GSSAPI fails to establish context between client and server SSH. SSH server writes in log "gssapi-with-mic failed" ... Since both Heimdal and MIT behaves exactly in the same manner with several versions of OpenSSH (from 3.8.1 to 4.0), and I have no problems with AD and Heimdal/MIT if not trying them to trust each other, I am absolutely sure that I've missed right documentation ... Can you please tell me where I could dig futher? Thanx a lot and best regards, vadim tarassov. -- vadim <[EMAIL PROTECTED]> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
