Hi, iam trying to setup a cross-realm relationship.
Generated krbtgt cross-realm principals on both KDCs with the same password and kvno: krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5) krbtgt/REALM_A@REALM_B getprinc on REALM_A KDC for principal krbtgt/REALM_B@REALM_A: Number of keys: 4 Key: vno 1, aes256-cts-hmac-sha1-96, Version 5 Key: vno 1, aes128-cts-hmac-sha1-96, Version 5 Key: vno 1, des3-cbc-sha1, Version 5 Key: vno 1, arcfour-hmac, Version 5 MKey: vno 1 getprinc on REALM_A KDC for principal krbtgt/REALM_A@REALM_B: Number of keys: 4 Key: vno 1, aes256-cts-hmac-sha1-96, Version 5 Key: vno 1, aes128-cts-hmac-sha1-96, Version 5 Key: vno 1, des3-cbc-sha1, Version 5 Key: vno 1, arcfour-hmac, Version 5 MKey: vno 1 getprinc on REALM_B KDC for principal krbtgt/REALM_B@REALM_A: Number of keys: 6 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with RSA-MD5, Version 4 Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 MKey: vno 1 getprinc on REALM_B KDC for principal krbtgt/REALM_A@REALM_B: Number of keys: 6 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with RSA-MD5, Version 4 Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 MKey: vno 1 I set up the [capaths] section in the krb5.conf client config: [capaths] REALM_A = { REALM_B = . } REALM_B = { REALM_A = . } TEST for the REALM_B (FreeIPA) System: 1. kinit user: get a krbtgt/REALM_B@REALM_B 2. kvno krbtgt/REALM_A@REALM_B: get cross-realm ticket krbtgt/REALM_A@REALM_B: kvno = 1 3. kvno host/( FQDN of host in REALM_A )@REALM_A: kvno: KDC returned error string: PROCESS_TGS while getting credentials for host/( FQDN of host in REALM_A )@REALM_A. 4. kvno user@REALM_A: kvno: KDC returned error string: PROCESS_TGS while getting credentials for user@REALM_A. Because i get a cross realm ticket in step 2 iam the opinion i setup the cross realm ticket correctly on both sides. I think only step 3/4 is the problem because i dont get tickets for a user/host principal in the REALM_A Any ideas ? Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project