Steven Van Acker wrote: > I'm trying to get cross-realm authentication to work between A.COM and > B.NET for openssh. > the KDC from A.COM has a principal [EMAIL PROTECTED] > the KDC from B.NET has the principal host/[EMAIL PROTECTED] > There's also a principal krbtgt/[EMAIL PROTECTED] on both KDC's.
Is [EMAIL PROTECTED] authorized to access <user>'s account on the ssh server? If the server's default realm is B.NET, the standard configuration will only allow [EMAIL PROTECTED] to access that account. You need to investigate the documentation for ~/.k5login, or whatever other mechanisms your Kerberos library provides for authorizing cross-realm principals. Simon.
