Hello I'm having some problems to get kerberos to work. I got two realms, one realm working in Windows 2008 (WINDOWS), with one KDC and RODC (the RODC is in a separate network). I am testing the ticketing forwarding cross realm. The second realm is a linux realm (LINUX) running on scientific linux 6.1. All the Linux machines are using the same kerberos libraries :
krb5-libs-1.9.2-6.fc16.x86_64 krb5-libs-1.9.2-6.fc16.i686 krb5-workstation-1.9.2-6.fc16.x86_64 So in from my fedora desktop computer I kinit with a WINDOWS realm user, and from there I ssh to my server. The SSH server principal is created in LINUX realm. This works smoothly. I also have a NFS 4 server kerberized, and declared in the LINUX realm. So from the SSH server (NFS client), I mount the folder and try to access, getting a permission denied message. I've captured the traffic from my SSH server (NFS Client), in the moment of accessing the NFS folder. I've noticed the following error: KRB_AP_ERR_BAD_INTEGRITY Also I noticed that the Name-Type inside the request packet is Unknown. After some browsing in the internet, it seems that W2008 RODC needs the Name-Type to be set, and in fact this has been patched in kerberos. What is more if I dont do ticket forwarding , so I kinit the user from the SSH server (NFS Client), and access the folder it works! Could it be that the current implementation of Kerberos is not setting the Name-Type for forwarded tickets? Regards Sebastián Galiano ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
