Well.. we seem to have got it working. What did we do different? Two things...
1. changed the order of the supported enctypes in kdc.conf so that the one being used in both places is listed first. 2. recreated the principal with -e to specify only the enctype being used in both places (doing 2 by itself before had not fixed the issue). >From my understand of Kerberos, this should not matter... interesting. On Wed, Nov 08, 2006 at 03:00:38PM -0500, Dave Botsch wrote: > On Wed, Nov 08, 2006 at 02:54:38PM -0500, Ken Hornstein wrote: > > >So, I know I've got the right password... I can manually kinit > > >krbtgt/[EMAIL PROTECTED] using the supplied cross-realm password -- that > > >works > > > > Okay ... but unless you did some magic, you weren't sending that request > > to realm B, you only sent that to realm A. > > Right. I've been trying to figure out if there's a way to do this kinit to > realmB with some sort of magic, but no luck so far. It would certainly be a > useful test. > > > > > > > Okay, one other thing comes to mind. Is it possible that the default > > key _salts_ are different between the two realms? Do a getprinc on both > > principals in both realms, and make sure the key salts (listed in the > > enctypes > > after every key) are the same. The keys should also be in the same order > > (although I don't remember if mis-ordering results in this error). When > > I create cross-realm keys, I specify the enctype:salt pairs manually so > > they will match and have the correct ordering. > > > > I believe they match... well, one of them does at any rate. If I understand > things, on realmA, it's set up with just one enc/salt type where I've got > three > on this end. One of those three is the one. I've tried recreating the > principal > with just the one and no luck. > > > > --Ken > > -- > ******************************** > David William Botsch > Programmer/Analyst > CNF Computing > [EMAIL PROTECTED] > ******************************** > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos -- ******************************** David William Botsch Programmer/Analyst CNF Computing [EMAIL PROTECTED] ******************************** ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
