I am trying to get two realms to trust each other. Both realms are in
the Mines.EDU domain. The first realm is production systems and is
named MINES.EDU, the second realm is for development systems and named
DEVMINES.EDU. The documentation that I have read only discusses the
case where there is one Kerberos realm per domain. In this case I have
two Kerberos realms in one domain.
The client (merlin.Mines.EDU) is in the MINES.EDU realm and the server
(oneoften.Mines.EDU) is in the DEVMINES.EDU realm. Both of the Kerberos
KDCs are running Kerberos 1.6.1 with the recent patches. I am using
OpenSSH for testing, any host in MINES.EDU can ssh to any other host in
MINES.EDU and login without a password, and any host in DEVMINES.EDU can
ssh to any other host in DEVMINES.EDU and login without a password using
Kerberos to authenticate.
After some digging through the documentation, I learned that the domain
realm section of the krb5.conf file could be used to map either a host
or a domain name to a realm name. After some tinkering, my client
(merlin.Mines.EDU) has a domain realm like this:
[domain_realm]
oneoften.mines.edu = DEVMINES.EDU
oneoften.Mines.EDU = DEVMINES.EDU
oneoften = DEVMINES.EDU
mines.edu = MINES.EDU
.mines.edu = MINES.EDU
Mines.EDU = MINES.EDU
.Mines.EDU = MINES.EDU
And my server (oneoften.Mines.EDU) has this:
[domain_realm]
merlin.mines.edu = MINES.EDU
merlin.Mines.EDU = MINES.EDU
merlin = MINES.EDU
.Mines.EDU = DEVMINES.EDU
Mines.EDU = DEVMINES.EDU
.mines.edu = DEVMINES.EDU
mines.edu = DEVMINES.EDU
My capaths section on merlin and oneoften look like this:
[capaths]
MINES.EDU = {
DEVMINES.EDU = MINES.EDU
}
DEVMINES.EDU = {
MINES.EDU = DEVMINES.EDU
}
When I ssh from Merlin to oneoften, the KDC in MINES.EDU logs this:
Aug 07 16:13:31 immortal.Mines.EDU krb5kdc[2719](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23
ses=18}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED]
Aug 07 16:13:31 immortal.Mines.EDU krb5kdc[2719](info): TGS_REQ (1 etypes {18})
138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23 ses=18}, [EMAIL
PROTECTED] for krbtgt/[EMAIL PROTECTED]
And the KDC for DEVMINES.EDU logs this:
Aug 07 16:13:31 sixoften.Mines.EDU krb5kdc[5385](info): TGS_REQ (7 etypes {18
17 16 23 1 3 2}) 138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23
ses=18}, [EMAIL PROTECTED] for host/[EMAIL PROTECTED]
It looks to me like that Merlin goes to the kdc, in the MINES.EDU realm,
gets the krbtgt/[EMAIL PROTECTED] ticket, then goes to the KDC for
the DEVMINES.EDU realm and gets the ticket for
host/[EMAIL PROTECTED]
But, ssh still asks for a password.
[EMAIL PROTECTED] ~]$ kdestroy ; kinit ; klist -f
Password for [EMAIL PROTECTED]:
Ticket cache: FILE:/tmp/krb5cc_5467_V9EjEj
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
08/07/07 16:13:10 08/08/07 07:13:10 krbtgt/[EMAIL PROTECTED]
renew until 08/08/07 16:13:08, Flags: FRIA
Kerberos 4 ticket cache: /tmp/tkt5467
klist: You have no tickets cached
[EMAIL PROTECTED] ~]$ ssh oneoften
[EMAIL PROTECTED]'s password:
Permission denied, please try again.
[EMAIL PROTECTED]'s password:
Permission denied, please try again.
[EMAIL PROTECTED]'s password:
Received disconnect from 138.67.130.65: 2: Too many authentication failures for
mbrookov
[EMAIL PROTECTED] ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_5467_V9EjEj
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
08/07/07 16:13:10 08/08/07 07:13:10 krbtgt/[EMAIL PROTECTED]
renew until 08/08/07 16:13:08, Flags: FRIA
08/07/07 16:13:31 08/08/07 07:13:10 krbtgt/[EMAIL PROTECTED]
renew until 08/08/07 16:13:08, Flags: FRAT
08/07/07 16:13:31 08/08/07 07:13:10 host/[EMAIL PROTECTED]
renew until 08/08/07 16:13:08, Flags: FRAT
Kerberos 4 ticket cache: /tmp/tkt5467
klist: You have no tickets cached
[EMAIL PROTECTED] ~]$
I have never set up a cross realm relationship between two realms, but
the logs and the tickets on the client look correct to me.
I have double checked the password for the krbtgt/[EMAIL PROTECTED]
principals in both realms and am sure they match. Just in case I set up
the krbtgt/[EMAIL PROTECTED] principals in both realms. All 4
principals used to set up the cross realm trust have the same key
version number, passwords, etc.
The realms section of /etc/krb5.conf has both the MINES.EDU realm and
the DEVMINES.EDU realm.
Merlin is running Fedora 7 with all of the patches and Oneoften is
running Red Hat Enterprise Linux 4 update 5 with all of the patches.
I have ran out of straws to grasp at. Does any body have any ideas?
thank you
Matt
[EMAIL PROTECTED]
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
