On Wed, 03 Dec 2014, Andreas Ladanyi wrote:
Hi,
iam trying to setup a cross-realm relationship.
Generated krbtgt cross-realm principals on both KDCs with the same
password and kvno:
krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5)
krbtgt/REALM_A@REALM_B
getprinc on REALM_A KDC for principal krbtgt/REALM_B@REALM_A:
Number of keys: 4
Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
Key: vno 1, des3-cbc-sha1, Version 5
Key: vno 1, arcfour-hmac, Version 5
MKey: vno 1
getprinc on REALM_A KDC for principal krbtgt/REALM_A@REALM_B:
Number of keys: 4
Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
Key: vno 1, des3-cbc-sha1, Version 5
Key: vno 1, arcfour-hmac, Version 5
MKey: vno 1
getprinc on REALM_B KDC for principal krbtgt/REALM_B@REALM_A:
Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
MKey: vno 1
getprinc on REALM_B KDC for principal krbtgt/REALM_A@REALM_B:
Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
MKey: vno 1
I set up the [capaths] section in the krb5.conf client config:
[capaths]
REALM_A = {
REALM_B = .
}
REALM_B = {
REALM_A = .
}
You need this section on both realm's KDCs.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project