On Friday, April 01, 2005 11:33:08 PM -0800 Darren Hoch <[EMAIL PROTECTED]> wrote:
Hello All,
Thanks Jeffery. I deleted the old krbtgt principals and added the following on each host:
krbtgt/[EMAIL PROTECTED] krbtgt/[EMAIL PROTECTED]
I am almost there. When user darren now tries to telnet (kerberized) from a host in realm EXAMPLE.COM to a host in EXAMPLE1.COM, the credentials and encryption are accepted, however, I am still prompted for a password for the user darren in realm EXAMPLE1.COM. Shoud I be prompted, or should I be able to do single sign on?
It sounds like now you are successfully authenticating to the telnet server, and the authorization check is failing. This is not surprising, since the default policy only allows you to log in as user 'foo' if you are authenticated as the principal '[EMAIL PROTECTED]'. You can override the local policy for a given user by giving that user a .k5login file listing the principals who are allowed to log in as him. For example, you could give 'darren' a .k5login file containing the following two lines:
[EMAIL PROTECTED] [EMAIL PROTECTED]
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
