I'm trying to set up a transitive relationship between three kerberos realms,
two of them being some AD domain and one a pure MIT server one.
I'm doing my test on a Scientific Linux 6.1, up to date.
In the krb5.conf, I have added :
[domain_realm]
d1 = R1
d2 = R2
d3 = R3
[realms]
R1 = {
kdc = kdc.d1
}
R2 = {
kdc = kdc.d2
}
R3 = {
kdc = kdc.d3
}
[capaths]
R1 = {
R3 = R2
R2 = R2
R1 = .
}
R2 = {
R3 = R3
R2 = .
R1 = R1
}
R3 = {
R1 = R2
R2 = R2
R3 = .
}
So I want R1 and R3 to trust each others through R2. R1 and R2 are on AD
servers, R3 is on a MIT server.
There is the needed trust relationships bethween boot R1 to R2 and R2 to R3,
with the needed krbtgt/R2@R1 and krbtgt/R3@R2.
But it fails, and for a very strang reason.
I'm doing a kinit user@R1, it's fine.
I'm doing ssh [email protected] on my SL6.1 host, it fails, and when I look the
ticket request with wireshark, I seek the following queries :
on kdc.d1, a TGS_REQ for krbtgt/R3@R1 that fails with
KRB5KDC_ERR_S_PRINCIPAL_UKNOWN.
on kdc.d1, a TGS_REQ for krbtgt/R2@R1, success
on kdc.d2, a TGS_REQ for krbtgt/R3@R1, it fails with KDC_ERR_WRONG_REALM.
What's the point of a TGS for krbtgt/R3@R1 on kdc.d2 ? I expected a TGS_REQ for
krbtgt/R3@R2.
I compiled t_walk_rtree and i'm getting :
$ ./t_walk_rtree R1 R3
krbtgt/R1@R1
krbtgt/R2@R1
krbtgt/R3@R2
Did I miss something ? What is wrong with my setup ?
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
