[Freeipa-users] Unable to setup FreeIPA and MIT kerberos cross domain trust

Wed, 13 Apr 2016 01:01:34 -0700 

Hi,


I am trying to setup cross domain trust between FreeIPA and MIT Kerberos. I
have already created krbtgt in the both FreeIPA and MIT Kerberos. I can
successfully get Kerberos ticket from the both domains.However when I try
to access Hadoop using the FreeIPA domain then I get this error in trace
log. Wondering what is missing?


Service ticket not found in the subject

>>> Realm doInitialParse: cRealm=[TEST.COM], sRealm=[TEST2.COM]

>>> Realm parseCapaths: no cfg entry

>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/
test2....@test.com

Using builtin default etypes for default_tgs_enctypes

default etypes for default_tgs_enctypes: 18 17 16 23 1 3.

>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType

getKDCFromDNS using UDP

>>> KrbKdcReq send: kdc=test2company.com. UDP:88, timeout=30000, number of
retries =3, #bytes=701

>>> KDCCommunication: kdc=test2company.com. UDP:88, timeout=30000,Attempt
=1, #bytes=701

>>> KrbKdcReq send: #bytes read=637

>>> KdcAccessibility: remove test2company.com.:88

>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType

>>> Credentials acquireServiceCreds: global OK-AS-DELEGATE turned off at
krbtgt/test2....@test.com

>>> Credentials acquireServiceCreds: got tgt

>>> Credentials acquireServiceCreds: got right tgt

>>> Credentials acquireServiceCreds: obtaining service creds for nn/
testcompany....@test2.com

Using builtin default etypes for default_tgs_enctypes

default etypes for default_tgs_enctypes: 18 17 16 23 1 3.

>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType

>>> KrbKdcReq send: kdc=testcompany.com UDP:88, timeout=30000, number of
retries =3, #bytes=662

>>> KDCCommunication: kdc=testcompany.com UDP:88, timeout=30000,Attempt =1,
#bytes=662

>>> KrbKdcReq send: #bytes read=150

>>> KdcAccessibility: remove testcompany.com

>>> KDCRep: init() encoding tag is 126 req type is 13

>>>KRBError:

         cTime is Sun Jun 01 13:55:49 EDT 1975 170877349000

         sTime is Sat Apr 09 15:01:16 EDT 2016 1460228476000

         suSec is 693381

         error code is 31

         error Message is Integrity check on decrypted field failed

         realm is TEST2.COM

         sname is nn/testcompany.com

         msgType is 30

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to