On Wed, Nov 08, 2006 at 02:54:38PM -0500, Ken Hornstein wrote: > >So, I know I've got the right password... I can manually kinit > >krbtgt/[EMAIL PROTECTED] using the supplied cross-realm password -- that > >works > > Okay ... but unless you did some magic, you weren't sending that request > to realm B, you only sent that to realm A.
Right. I've been trying to figure out if there's a way to do this kinit to realmB with some sort of magic, but no luck so far. It would certainly be a useful test. > > > Okay, one other thing comes to mind. Is it possible that the default > key _salts_ are different between the two realms? Do a getprinc on both > principals in both realms, and make sure the key salts (listed in the enctypes > after every key) are the same. The keys should also be in the same order > (although I don't remember if mis-ordering results in this error). When > I create cross-realm keys, I specify the enctype:salt pairs manually so > they will match and have the correct ordering. > I believe they match... well, one of them does at any rate. If I understand things, on realmA, it's set up with just one enc/salt type where I've got three on this end. One of those three is the one. I've tried recreating the principal with just the one and no luck. > --Ken -- ******************************** David William Botsch Programmer/Analyst CNF Computing [EMAIL PROTECTED] ******************************** ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
