Does anyone have pointers to comprehensive documentation of how to make
cross-realm authentication work?
I have three Kerberos realms, all running MIT KDCs, which we'll call
ONE.NET, TWO.NET, and FOO.TWO.NET. If I grab a TGT for a principal in
realm FOO.TWO.NET, I can acquire tickets for services in the TWO.NET
realm. If I grab a TGT for a principal in the TWO.NET realm, I can
acquire tickets for services in the ONE.NET realm. The problem is that I
can't use a TGT from FOO.TWO.NET to get a service ticket from ONE.NET.
Looking at the logs for the ONE.NET KDC, I see these error messages:
bad realm transit path from '[EMAIL PROTECTED]' to '[EMAIL PROTECTED]' via 'TWO.NET'
TGS_REQ (3 etypes {16 1 3}) 64.22.202.18(88): BAD_TRANSIT: authtime 1011926513,
[EMAIL PROTECTED] for [EMAIL PROTECTED], KDC policy rejects request
I'm sure there must be a simple answer to this problem, but I haven't been
able to find it yet in my search through the MIT documentation and on the
web.
Thanks,
Steve Langasek
postmodern programmer
