Hi Colm, Have you added the same krbtgt/[email protected] principal in in kdc1 and kdc2.
Thanks, Jiajia -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Monday, November 6, 2017 7:15 PM To: [email protected] Subject: Re: Kerby Update Hi Jiajia, Thanks for your reply, I can't get it working though. I'm using two Kerby distributions (kdc1 and kdc2) as well as the tool dist. Is this feature fully implemented on the Kerby side for kdc2, or is it only tested with an MIT KDC by any chance? sh bin/kinit.sh -conf conf [email protected] Password for [email protected]: Successfully requested and stored ticket in /tmp/krb5cc_1000 sh bin/kinit.sh -conf conf -c /tmp/krb5cc_1000 -S [email protected] Kinit: get service ticket failed: Fail to get the tgs entry for remote realm: A.EXAMPLE.COM with error code: UNKNOWN_ERR Colm. On Mon, Nov 6, 2017 at 1:46 AM, Li, Jiajia <[email protected]> wrote: > Hi Colm, > > >>>a) What information is required in the krb5.conf of the tool-dist? > The capaths, realms, domain_realm sections are required, the same as > the MIT Kerberos. > > > >>>b) Could you give an example (using the A.EXAMPLE.COM + > >>>B.EXAMPLE.COM > >>>realms) for the "Validate" section of the docs ( > https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)? > > To validate the user("test") within realm A.EXAMPLE.COM is trusted to > access the resource("hdfs") in another realm B.EXAMPLE.COM, doing the > following steps, the conf dir is "conf": > 1. sh bin/kinit.sh -conf conf [email protected] We will get the > credential cache( "/tmp/krb5cc_0") 2. sh bin/kinit.sh -conf conf -c > /tmp/krb5cc_0 -S [email protected] Then we will get the service tgt, > MIT Kerberos using "kvno" to get service tgt in this step. > > > Thanks, > Jiajia > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Friday, November 3, 2017 7:04 PM > To: [email protected] > Subject: Re: Kerby Update > > Hi Jiajia, > > I've been trying to get this new feature working, but unsuccessfully > so far > - I get an error: > > 2017-11-03 10:58:41 INFO{DefaultInternalKrbClient.java:82}-Send to > kdc success. > 2017-11-03 10:58:41 INFO{KrbHandler.java:120}-KDC server response > with > message: Unknown error > 2017-11-03 10:58:41 INFO{KrbHandler.java:142}-Unknown error > > Could you clarify a few points for me please... > > a) What information is required in the krb5.conf of the tool-dist? > b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM > realms) for the "Validate" section of the docs ( > https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)? > It's a little unclear as to how exactly it should be used. > > Colm. > > On Mon, Oct 23, 2017 at 2:22 AM, Li, Jiajia <[email protected]> wrote: > > > Hi all, > > > > Recently we have implemented the cross-realm authentication support, > > KDC in one realm can authenticate users in a different realm, so it > > allows client from another realm to access the cluster. Cross-realm > > authentication is accomplished by sharing a secret key between the > > two realms. In both backends should have the krbtgt service > > principals for realms with same passwords, key version numbers, and > > encryption types. > > We have used this feature in Hadoop cluster, after establishing > > cross realm trust between two secure Hadoop clusters with their own > > realms, copying data between two secure clusters can work now. And > > this support also can be used to build trust relationship with MIT > > Kerberos > KDC and we have tested compatibility. > > > > Here is the document about setting up cross realm: > > https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm. > > md > > > > Thanks, > > Jiajia > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
