Inger, Slav (.) wrote: > Hi all, > > I tested cross-realm awhile back and it seemed to work fine, not sure why I'm > running into issues now, maybe I'm forgetting something obvious. Scenario: KDC is > Active Directory, clients are running Solaris and HP-UX with Kerberos and > appropriate patches. I tried going Sun to Sun and HP to HP, didn't get too far with > either. Two clients are in different realms, have good keytabs and good krb5.conf's > (tried with and without [capaths] section). The passwd entries for the user logging > in from one realm to the other are identical on both clients (meaning the same user > is doing cross-realm login). The issue is with authorization, for some reason the > destination machine is not authorizing the user from the source realm. Works the > same with and without .k5login file in user's home dir on the destination host. > [domain_realm] is set up correctly, with two DNS domains referencing their > respective realms. The user's cache shows 2 TGTs (for his own realm and one for > cross-real m)! > and a host ticket, but he just can't log in. Any idea what's going on here? > Thanks! > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos >
Cross-realm implies two different KDCs one for each realm which are configured to issue tickets for one another. You have described one KDC (Active Directory). Could you please correct the description of your problem. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
