Re: cross-realm authentication works only with .k5login

Mon, 17 Mar 2008 13:48:46 -0700 

Hi Andrea,

a user [EMAIL PROTECTED] in not the same as a user [EMAIL PROTECTED] You need 
to 
tell a server in domain SOLARIS that user [EMAIL PROTECTED] is the same as 
[EMAIL PROTECTED] by either using .k5login or use auth_to_local in krb5.conf 
e.g.

..
[realms]
       SOLARIS = {
               kdc = ..
#
# map [EMAIL PROTECTED] to local user xxx
#
               auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL 
PROTECTED])s/@.*//
               auth_to_local = DEFAULT
       }
..

This means you trust both domains using unique ids.

Markus


"Andrea" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> Hi all,
> I just setted up a multi realm KDC on a linux machine.
> The 2 REALMS are named SOLARIS and SOLARIS2.
> I want to put a trust relationship between the two REALMS, so I did
> the following on each KDC:
>
> addprinc -pw krbtgt/SOLARIS2 krbtgt/[EMAIL PROTECTED]
> addprinc -pw krbtgt/SOLARIS krbtgt/[EMAIL PROTECTED]
>
> In order to test cross realm authentication I tryed to single sign on
> into a machine based on SOLARIS realm, with a ticket of SOLARIS2. The
> SSO doesn't work, however if I run klist after trying   SSO, it
> yields:
> [EMAIL PROTECTED] ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [EMAIL PROTECTED]
>
> Valid starting     Expires            Service principal
> 03/17/08 04:09:13  03/17/08 15:49:13  krbtgt/[EMAIL PROTECTED]
>        renew until 03/17/08 04:09:13
> 03/17/08 04:09:19  03/17/08 15:49:13  krbtgt/[EMAIL PROTECTED]
>        renew until 03/17/08 04:09:13
> 03/17/08 04:09:19  03/17/08 15:49:13  host/[EMAIL PROTECTED]
>        renew until 03/17/08 04:09:13
>
> It seems that the cross realm authentication works, but the SSO no.
>
> I can make the system successfully works inserting the .k5login file
> into the home directory of the user who is attempting to SSO on the
> machine with a ticket of SOLARIS2 REALM.
>
> I want to ask to you:
>
> Am I missing something on the configuration?
> Is necessary to set up for each user on the system a .k5login?
> Is it possible to avoid using the .k5login?
>
> Thanks in advance!
>
> best regards,
> Andrea
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to