[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cross realm authentication details

To: heimdal-discuss@sics.se
Subject: cross realm authentication details
From: Jacob Yocom-Piatt <dick@uchicago.edu>
Date: Sun, 30 Apr 2006 16:31:29 -0500
Reply-To: dick@uchicago.edu
Sender: owner-heimdal-discuss@sics.se

i've got my KDC running on openbsd 3.8-release and have 2 realms, REALM.1 and
REALM.2, which both authenticate to the same single KDC. i can get tickets for
each realm from either realm and use them just fine in their respective realms.
having read the documentation at http://www.pdc.kth.se/heimdal/heimdal.html , i
would asssume that that i merely need to add two principals on my single KDC for
both realms to cross authenticate (see section 4.12 of earlier link).

i have tried doing this by adding 2 principals, krbtgt/REALM.1@REALM.2 and
krbtgt/REALM.2@REALM.1, to my KDC via the kadmin interface using

add --random-key krbtgt/REALM.1@REALM.2
add --random-key krbtgt/REALM.2@REALM.1

to test this, i get a ticket for user1@REALM.1 and then attempt to ssh into one
of the hosts in REALM.2 where user1 has an account. this does not work and i see
the following in kdc.log on the KDC

2006-04-30T15:44:52 TGS-REQ user1@REALM.1 from IPv4:10.9.0.253 for
krbtgt/REALM.2@REALM.1
2006-04-30T15:44:52 TGS-REQ user1@REALM.1 from IPv4:10.9.0.253 for
host/host1.realm.2@REALM.2
2006-04-30T15:44:52 cross-realm REALM.1 -> REALM.2
2006-04-30T15:44:52 TGS-REQ user1@REALM.1 from IPv4:10.9.0.253 for
krbtgt/REALM.1@REALM.1 [forwarded, forwardable]
2006-04-30T15:44:52 Bad request for forwardable ticket

i have the following krb5.conf on hosts in both realms, with the default realm
modified appropriately

[libdefaults]
        # Set the realm of this host here
        default_realm = REALM.1

        # Maximum allowed time difference between KDC and this host
        clockskew = 300

        # Uncomment this if you run NAT on the client side of kauth.
        # This may be considered a security issue though.
        # no-addresses = yes

[realms]
        REALM.1 = {
                # Specify KDC here
                kdc = kerberos.realm.1

                # Administration server, used for creating users etc.
                admin_server = kerberos.realm.1
        }

        # Example of a "foreign" realm
        REALM.2 = {
                kdc = kerberos.realm.1
                admin_server = kerberos.realm.1
                #default_domain = other.domain
                #v4_domains = other.domain
        }

# This sections describes how to figure out a realm given a DNS name
[domain_realm]
        .realm.1 = REALM.1
        .realm.2 = REALM.2

<snip>

ssh -vvv doesn't yield any additional debugging info. any ideas on what i'm
doing wrong?

also, is there a way to integrate sudo with heimdal? i thought it would be nice
to have all sudo calls logged in a single place.

cheers,
jake

Follow-Ups:
- Re: cross realm authentication details
  - From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>

Next by Date: Re: cross realm authentication details
Next by thread: Re: cross realm authentication details
Index(es):
- Date
- Thread