You say the KDCs are Windows DCs? and the TEST.HOME is not in the forest?
I assume the client LDAP is using the MIT or Heimdal Kerberos, as the capaths
is only
supported there. Windows uses referrals, where the client can ask its DC
for a tgt, and the DC can return an error with a referral (or was it a tgt for
the
next hop. I forgot all the details.)
Markus Moeller wrote:
> I have a setup with 4 DCs. 3 DC build a forest and the fourth hangs of one
> of the sub domains.
>
> TOP.COM
> / \
> DOM1.TOP.COM DOM2.TOP.COM
> /
> TEST.HOME
>
So in the krb5.man page example you r reals equate to these:
TEST.ANL.GOV == TEST.HOME
ANL.GOV == DOM1.TOP.COM
ES.NET == TOP.COM
NERSC.GOV == DOM2.TOP.COM
> There is full trust betweem TOP.COM and DOM1.TOP.COM and DOM2.TOP.COM.
> TEST.HOME as only full trust to DOM1.TOP.COM.
>
> I try to connect from a user in DOM2.TOP.COM to a system in TEST.HOME with
> the following krb5.conf on DOM2.TOP.COM systems.
>
> [domain_realm]
> top.com = TOP.COM
> .top.com = TOP.COM
> dom1.top.com = DOM1.TOP.COM
> .dom1.top.com = DOM1.TOP.COM
> dom2.top.com = DOM2.TOP.COM
> .dom2.top.com = DOM2.TOP.COM
> test.home = TEST.HOME
> .test.home = TEST.HOME
>
> [capaths]
> DOM2.TOP.COM = {
> TEST.HOME = DOM1.TOP.COM
The above line may be the problem, it is telling the client that
it can go to DOM1.TOP.COM. But DOM1.TOP.COM and DOM2.TOP.COM dont
share trust, so it may have fallen back and tries the direct approach,
or it skipped the capaths altogether.
TEST.HOME = TOP.COM
TEST.HOME = DMO1.TOP.COM
Try these instead, at least it is an easy test.
> DOM1.TOP.COM = TOP.COM
> TOP.COM = .
> }
> DOM1.TOP.COM = {
> DOM2.TOP.COM = TOP.COM
> TOP.COM = .
> }
> TEST.HOME = {
> DOM2.TOP.COM = TOP.COM
> TOP.COM = DOM1.TOP.COM
> DOM1.TOP.COM = .
> }
>
> A walk tree test gives me:
>
> #t_walk_rtree DOM1.TOP.COM TEST.HOME
> krbtgt/[EMAIL PROTECTED]
> krbtgt/[EMAIL PROTECTED]
>
> #t_walk_rtree DOM2.TOP.COM TEST.HOME
> krbtgt/[EMAIL PROTECTED]
> krbtgt/[EMAIL PROTECTED]
> krbtgt/[EMAIL PROTECTED]
> krbtgt/[EMAIL PROTECTED]
>
>
>
> But when I do a ldapsearch -H ldap://dc.test.home .... I get
>
> additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous
> failure (KDC reply did not match expectations)
>
> An ethereal shows a TGS-REQ of krbtgt/TEST.HOME going to the DOM2.TOP.COM
> instead to DOM1.TOP.COM.
>
Was there any other krb5 packets?
> What is wrong inmy configuration ?
>
> Thank you
> Markus
>
>
>
> ________________________________________________
> Kerberos mailing list [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
