Am 03.12.2014 um 14:53 schrieb Alexander Bokovoy: > On Wed, 03 Dec 2014, Andreas Ladanyi wrote: >> Hi, >> >> iam trying to setup a cross-realm relationship. >> >> Generated krbtgt cross-realm principals on both KDCs with the same >> password and kvno: >> >> krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5) >> krbtgt/REALM_A@REALM_B >> >> getprinc on REALM_A KDC for principal krbtgt/REALM_B@REALM_A: >> >> Number of keys: 4 >> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5 >> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5 >> Key: vno 1, des3-cbc-sha1, Version 5 >> Key: vno 1, arcfour-hmac, Version 5 >> MKey: vno 1 >> >> getprinc on REALM_A KDC for principal krbtgt/REALM_A@REALM_B: >> >> Number of keys: 4 >> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5 >> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5 >> Key: vno 1, des3-cbc-sha1, Version 5 >> Key: vno 1, arcfour-hmac, Version 5 >> MKey: vno 1 >> >> getprinc on REALM_B KDC for principal krbtgt/REALM_B@REALM_A: >> >> Number of keys: 6 >> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt >> Key: vno 1, DES cbc mode with CRC-32, no salt >> Key: vno 1, DES cbc mode with RSA-MD5, Version 4 >> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm >> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only >> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 >> MKey: vno 1 >> >> getprinc on REALM_B KDC for principal krbtgt/REALM_A@REALM_B: >> >> Number of keys: 6 >> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt >> Key: vno 1, DES cbc mode with CRC-32, no salt >> Key: vno 1, DES cbc mode with RSA-MD5, Version 4 >> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm >> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only >> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3 >> MKey: vno 1 >> >> >> I set up the [capaths] section in the krb5.conf client config: >> >> [capaths] >> REALM_A = { >> REALM_B = . >> } >> REALM_B = { >> REALM_A = . >> } > You need this section on both realm's KDCs. > >
I have done this now on all (2) KDCs without a restart of kerberos service. The error message is the same like in my first mail. -- Dipl.-Ing. (FH) Andreas Ladanyi ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Karlsruher Institut für Technologie (KIT) Am Fasanengarten 5, Gebäude 50.34, Raum 013 76131 Karlsruhe Telefon: +49 721 608-43663 E-Mail: andreas.lada...@kit.edu www.atis.informatik.kit.edu www.kit.edu KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft
smime.p7s
Description: S/MIME Cryptographic Signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project