Ah, it works now thanks! I thought I had to create "krbtgt/ [email protected]" in the second KDC. I'll update the documentation...
Colm. On Mon, Nov 6, 2017 at 1:25 PM, Li, Jiajia <[email protected]> wrote: > Hi Colm, > > Have you added the same krbtgt/[email protected] principal in > in kdc1 and kdc2. > > Thanks, > Jiajia > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Monday, November 6, 2017 7:15 PM > To: [email protected] > Subject: Re: Kerby Update > > Hi Jiajia, > > Thanks for your reply, I can't get it working though. I'm using two Kerby > distributions (kdc1 and kdc2) as well as the tool dist. Is this feature > fully implemented on the Kerby side for kdc2, or is it only tested with an > MIT KDC by any chance? > > sh bin/kinit.sh -conf conf [email protected] Password for > [email protected]: > Successfully requested and stored ticket in /tmp/krb5cc_1000 > > sh bin/kinit.sh -conf conf -c /tmp/krb5cc_1000 -S [email protected] > Kinit: get service ticket failed: Fail to get the tgs entry for remote > realm: A.EXAMPLE.COM with error code: UNKNOWN_ERR > > Colm. > > > On Mon, Nov 6, 2017 at 1:46 AM, Li, Jiajia <[email protected]> wrote: > > > Hi Colm, > > > > >>>a) What information is required in the krb5.conf of the tool-dist? > > The capaths, realms, domain_realm sections are required, the same as > > the MIT Kerberos. > > > > > > >>>b) Could you give an example (using the A.EXAMPLE.COM + > > >>>B.EXAMPLE.COM > > >>>realms) for the "Validate" section of the docs ( > > https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md > )? > > > > To validate the user("test") within realm A.EXAMPLE.COM is trusted to > > access the resource("hdfs") in another realm B.EXAMPLE.COM, doing the > > following steps, the conf dir is "conf": > > 1. sh bin/kinit.sh -conf conf [email protected] We will get the > > credential cache( "/tmp/krb5cc_0") 2. sh bin/kinit.sh -conf conf -c > > /tmp/krb5cc_0 -S [email protected] Then we will get the service tgt, > > MIT Kerberos using "kvno" to get service tgt in this step. > > > > > > Thanks, > > Jiajia > > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: Friday, November 3, 2017 7:04 PM > > To: [email protected] > > Subject: Re: Kerby Update > > > > Hi Jiajia, > > > > I've been trying to get this new feature working, but unsuccessfully > > so far > > - I get an error: > > > > 2017-11-03 10:58:41 INFO{DefaultInternalKrbClient.java:82}-Send to > > kdc success. > > 2017-11-03 10:58:41 INFO{KrbHandler.java:120}-KDC server response > > with > > message: Unknown error > > 2017-11-03 10:58:41 INFO{KrbHandler.java:142}-Unknown error > > > > Could you clarify a few points for me please... > > > > a) What information is required in the krb5.conf of the tool-dist? > > b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM > > realms) for the "Validate" section of the docs ( > > https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md > )? > > It's a little unclear as to how exactly it should be used. > > > > Colm. > > > > On Mon, Oct 23, 2017 at 2:22 AM, Li, Jiajia <[email protected]> wrote: > > > > > Hi all, > > > > > > Recently we have implemented the cross-realm authentication support, > > > KDC in one realm can authenticate users in a different realm, so it > > > allows client from another realm to access the cluster. Cross-realm > > > authentication is accomplished by sharing a secret key between the > > > two realms. In both backends should have the krbtgt service > > > principals for realms with same passwords, key version numbers, and > encryption types. > > > We have used this feature in Hadoop cluster, after establishing > > > cross realm trust between two secure Hadoop clusters with their own > > > realms, copying data between two secure clusters can work now. And > > > this support also can be used to build trust relationship with MIT > > > Kerberos > > KDC and we have tested compatibility. > > > > > > Here is the document about setting up cross realm: > > > https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm. > > > md > > > > > > Thanks, > > > Jiajia > > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
