Re: [Freeipa-users] Cross-Realm authentification

Thu, 04 Dec 2014 01:30:07 -0800 

Am 03.12.2014 um 14:53 schrieb Alexander Bokovoy:
> On Wed, 03 Dec 2014, Andreas Ladanyi wrote:
>> Hi,
>>
>> iam trying to setup a cross-realm relationship.
>>
>> Generated krbtgt cross-realm principals on both KDCs with the same
>> password and kvno:
>>
>> krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5)
>> krbtgt/REALM_A@REALM_B
>>
>> getprinc on REALM_A KDC for principal krbtgt/REALM_B@REALM_A:
>>
>> Number of keys: 4
>> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
>> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
>> Key: vno 1, des3-cbc-sha1, Version 5
>> Key: vno 1, arcfour-hmac, Version 5
>> MKey: vno 1
>>
>> getprinc on REALM_A KDC for principal krbtgt/REALM_A@REALM_B:
>>
>> Number of keys: 4
>> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
>> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
>> Key: vno 1, des3-cbc-sha1, Version 5
>> Key: vno 1, arcfour-hmac, Version 5
>> MKey: vno 1
>>
>> getprinc on REALM_B KDC for principal krbtgt/REALM_B@REALM_A:
>>
>> Number of keys: 6
>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>> Key: vno 1, DES cbc mode with CRC-32, no salt
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 4
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
>> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
>> MKey: vno 1
>>
>> getprinc on REALM_B KDC for principal krbtgt/REALM_A@REALM_B:
>>
>> Number of keys: 6
>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>> Key: vno 1, DES cbc mode with CRC-32, no salt
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 4
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
>> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
>> MKey: vno 1
>>
>>
>> I set up the [capaths] section in the krb5.conf client config:
>>
>> [capaths]
>> REALM_A = {
>>    REALM_B = .
>>    }
>> REALM_B = {
>>    REALM_A = .
>>    }
> You need this section on both realm's KDCs.
>
>

I have done this now on all (2) KDCs without a restart of kerberos
service. The error message is the same like in my first mail.

-- 

Dipl.-Ing. (FH) Andreas Ladanyi

ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik
Karlsruher Institut für Technologie (KIT)

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe
Telefon: +49 721 608-43663

E-Mail: andreas.lada...@kit.edu

www.atis.informatik.kit.edu
www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum 
in der Helmholtz-Gemeinschaft

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to