Dave Botsch wrote: > So, I'm trying to set up one way cross realm auth. > > We have two realms... realmA and realmB > > On both KDCs, we have created the principal krbtgt/[EMAIL PROTECTED] with the > same > kvno and the same password.
And same e-types? > > I can even kinit krbtgt/[EMAIL PROTECTED] (which talks to the realmA server) > and > get a ticket as that principal. > > So, here's where things go wacky... > > I kinit [EMAIL PROTECTED] - fine > > I then try to do something (ssh for example) that requires a ticket in realm > B. > > Failure with the following error: Decrypt Integrity Check Failed - this error > also shows up in the realmB kdc log. > > a klist shows: > krbtgt/[EMAIL PROTECTED] > krbtgt/[EMAIL PROTECTED] Is the above correct? The second one should be krbtgt/[EMAIL PROTECTED] i.e. ticket issued by A but usable at realm B. > > but, of course, no service ticket. > > Any thoughts on what to try/look at? As best I can tell, this should just > work, > but clearly it isn't. > > I haven't figured out if there is a way to kinit krbtgt/[EMAIL PROTECTED] to > realmB's servers to verify it isn't somehow mangling the password -- is there > a > way to do this? > > realmB is rhel4u4 - krb5-server-1.3.4-33 > > I don't know what realmA is as I don't control that KDC. Then how do you know the key was added correctly? Is realm A Windows AD? As Ken said, sounds like keys don't match. > > Thanks! > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
