Re: Cross Realm MIT <-> Windows Close But No Cigar

Thu, 03 May 2007 18:34:23 -0700 

Michael B Allen <[EMAIL PROTECTED]> wrote:
> On Thu, 3 May 2007 23:33:29 +0100
> "Markus Moeller" <[EMAIL PROTECTED]> wrote:
>
>> What does sshd -ddde show when you connect ?  Do you use a .k5login
>> or auth_to_local ?
>
> Hi Markus,
>
> I'm not familiar with .k5login or auth_to_local. The only thing I
> changed in sshd_config was I turned of UsePAM.

Kerberos only handles authentication.  You need something for 
authorization.  By default, the kerberos libraries will match principals 
in the local default realm to local users. (principal == local user 
name.)  [EMAIL PROTECTED] can login as cclausen. 
[EMAIL PROTECTED] cannot login without authorization.

> I actually think the trust is valid. I've been trying it with my HTTP
> SSO code and the GSS calls are definitely succeeding. It's something
> that happends after the auth (e.g. RC4 salting or session key
> problem).

Setting up a trust does NOT automatically grant authorization for the 
foreign realm.  Try creating a ~/.k5login file in the home directory of 
the user you are logging in as listing authorized Kerberos principals, 
one per line.

(AD.UIUC.EDU is a Windows AD domain.  ILLIGAL.UIUC.EDU is a MIT realm.)

For instance:
C:\>klist
Ticket cache: API:[EMAIL PROTECTED]
Default principal: [EMAIL PROTECTED]
Valid starting     Expires            Service principal
05/03/07 20:26:36  05/04/07 06:26:36  krbtgt/[EMAIL PROTECTED]
C:\>putty ial.illigal.uiuc.edu
C:\>klist
Ticket cache: API:[EMAIL PROTECTED]
Default principal: [EMAIL PROTECTED]
Valid starting     Expires            Service principal
05/03/07 20:26:36  05/04/07 06:26:36  krbtgt/[EMAIL PROTECTED]
05/03/07 20:26:36  05/04/07 06:26:36 
krbtgt/[EMAIL PROTECTED]
05/03/07 20:26:58  05/04/07 06:26:36 
host/[EMAIL PROTECTED]

On the remote system:
[EMAIL PROTECTED]:~$ cat .k5login
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_L30429
Default principal: [EMAIL PROTECTED]
Valid starting     Expires            Service principal
05/03/07 20:26:58  05/04/07 06:26:36  krbtgt/[EMAIL PROTECTED]
[EMAIL PROTECTED]:~$ cat /etc/krb5.conf | grep default
[libdefaults]
        default_realm = ILLIGAL.UIUC.EDU
[EMAIL PROTECTED]:~$

<<CDC 


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to