Hi everyone, I'm trying to set up cross-realm authentication so that a user in realm EXAMPLE.COM can access a service in HADOOP.COM. I've added a capaths section to my krb5.conf for the same:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = examplekdc.example.com admin_server = examplekdc.example.com } HADOOP.COM = { kdc = hadoopkdc.hadoop.com admin_server = hadoopkdc.hadoop.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [capaths] HADOOP.COM = { EXAMPLE.COM = . } I've also added the required principal krbtgt/hadoop....@example.com to both the KDC's. So far, everything is working and my application is able to do what it needs to. What I'm concerned about is the following line in my trace log on EXAMPLE.COM: [158447] 1497720267.441664: TGS request result: -1765328377/Server myservice/hadoopkdc.hadoop....@example.com not found in Kerberos database [158447] 1497720267.441680: Local realm referral failed; trying fallback realm HADOOP.COM My questions are the following: (1) what exactly is this local realm referral? Is this kerberos jargon for cross realm requests? (2) why would the local realm referral fail ? How do I explicitly specify how I want the local realm referral to occur? (3) What is the meaning of a fallback realm? And how do I specify one? As you can see from my krb5.conf, I haven't specified the fallback realm or referrals explicitly, so I think kerberos is picking up default values for them. I want to know how I can specify them explicitly. Thanks in advance ! Pratyush ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos