I have a config that is working on Ubuntu 10.04 and above but failing on
8.04. Any suggestions would be appreciated!
The problem is that I cannot SSH into the 8.04 machines unless I am
using an account in the same realm as the DNS suffix of the system. I am
using Windows Active Directory as both
Did you add the line:
myu...@example.com
to the .k5login file for myuser on ssh-serv.etud.example.com?
The assumption is foreign principals are not allowed to login by
default. i.e. a local user in one realm is not the same as a local
user in another realm.
Also see the auth_to_local
.
Now I'd like to achive cross-realm authentication. I want that someone
with an EXAMPLE.COM ticket can connect to the ETUD.EXAMPLE.COM
ssh-server. To be sure of what principal to add I tried to connect to
my ssh-server :
debug1: Unspecified GSS failure. Minor code may provide more
information Server
these tickets to succesfully connect via ssh on my ssh-servers.
Now I'd like to achive cross-realm authentication. I want that someone
with an EXAMPLE.COM ticket can connect to the ETUD.EXAMPLE.COM
ssh-server. To be sure of what principal to add I tried to connect to
my ssh-server :
debug1
|
v
service - realm-2KDC
serv...@realm2 krbtgt/rea...@realm2
cross realm authentication usually works this way (scenario-1):
step 1: client requests a TGT in his realm: AS-REQ/AS-REP for
krbtgt/rea...@realm1
step 2: client decides that service
Hi Kevin
Please help me to solve the cross realm set up
Please find the attached captures.
Regards
Naveen
-- Forwarded message --
From: krbmit siso krb...@gmail.com
Date: Thu, Jan 6, 2011 at 9:32 AM
Subject: Re: Cross realm authentication
To: m...@mproehl.net
Cc: kerberos
,/P
PSTRONGThank younbsp;for your timely response and
explaination./STRONG/P
PAlso i will be good if you please sharenbsp; some links/pdf on kerberos
cross realm authentication/P
Pw.r.t. requests and implementation detailsnbsp; like the requests going out
form client ./P
Pnbsp;/P
PRegards/P
PNaveen
to get cross realm authentication working under windows 2008
server environment.
I have set up two domain with realm1 and realm 2 in 2 different windows
servers. I have added a one
way trust at realm1 for realm2. The client is in realm1 wants to access a
server at realm2 . I got the
AS-REP
:
Hi All,
Please guide me to get cross realm authentication working under
windows 2008
server environment.
I have set up two domain with realm1 and realm 2 in 2 different
windows
servers. I have added a one
way trust at realm1 for realm2. The client
On 1/5/11 2:53 PM +0530 krbmit siso wrote:
*Server Principal Names in TGS-REQ.*
Padata field - Contents in the TICKET which is visible
Tkt-vno: 5
Realm: realm1.com
Server Name (Principal):
realm request (Windows, MIT Kerberos, Java, ...)
Regards,
Mark Pröhl
On 01/05/2011 06:47 AM, krbmit siso wrote:
Hi All,
Please guide me to get cross realm authentication working under windows
2008
server environment.
I have set up two domain with realm1 and realm 2 in 2 different
META name=GENERATOR content=ActiveSquare/HEAD
BODY
META name=GENERATOR content=ActiveSquare
PSPAN style=FONT-SIZE: 10ptSPAN style=FONT-SIZE: 9ptHi
All,/SPANo:pSPAN style=FONT-SIZE: 9pt/SPAN/o:p/P
P style=LETTER-SPACING: 0px class=MsoNormalSPAN style=FONT-SIZE:
9ptPlease guide me to get cross realm
Hi All,
Please guide me to get cross realm authentication working under windows 2008
server environment.
I have set up two domain with realm1 and realm 2 in 2 different windows
servers. I have added a one
way trust at realm1 for realm2. The client is in realm1 wants to access a
server at realm2
Hi,
I have some question about CROSS REALM authentication.
I have two domains: TEST.COM and TEST2.COM
These two domain use Windows server 2003, and there is a trust relationship two
way between them.
How could I setup a CROSS realm domain authentication ? Where should I setup a
ktpass ? Where
Christopher D. Clausen wrote:
Bjørn Tore Sund bjorn.s...@it.uib.no wrote:
I'd like to thank Douglas Engert, Christopher Clausen and Guillaume
Rosse for the help with this matter. Netdom.exe was indeed the
answer, and as I was pestering our main AD honcho on the matter he
started to remember
Douglas E. Engert wrote:
Bjoern Tore Sund wrote:
I am trying to get cross-realm authentication to work between AD and
our MIT Kerberos realm. Windows client are in KLIENT.UIB.NO, Windows
user accounts are in UIB.NO, Unix/Linux machines and accounts are in
UNIX.UIB.NO. User names
I'd like to thank Douglas Engert, Christopher Clausen and Guillaume
Rosse for the help with this matter. Netdom.exe was indeed the answer,
and as I was pestering our main AD honcho on the matter he started to
remember (I still don't...) that I'd pulled up that command to him
before - and the
Bjørn Tore Sund bjorn.s...@it.uib.no wrote:
I'd like to thank Douglas Engert, Christopher Clausen and Guillaume
Rosse for the help with this matter. Netdom.exe was indeed the
answer, and as I was pestering our main AD honcho on the matter he
started to remember (I still don't...) that I'd
I am trying to get cross-realm authentication to work between AD and our
MIT Kerberos realm. Windows client are in KLIENT.UIB.NO, Windows user
accounts are in UIB.NO, Unix/Linux machines and accounts are in
UNIX.UIB.NO. User names in UIB.NO and UNIX.UIB.NO are the same.
KLIENT.UIB.NO
Bjoern Tore Sund wrote:
I am trying to get cross-realm authentication to work between AD and our
MIT Kerberos realm. Windows client are in KLIENT.UIB.NO, Windows user
accounts are in UIB.NO, Unix/Linux machines and accounts are in
UNIX.UIB.NO. User names in UIB.NO and UNIX.UIB.NO
Douglas E. Engert a écrit :
krb5-1.6.1 supports RC4 and DES (plus others).
Windows 2003 only supports RC4 and DES.
krb5-1.3.1 only supports DES.
Windows 2003 support RC4 starting from SP2 only, and still uses DES for
cross-realm relationship by default. You have to install the Windows
We have linux clients in an MIT Kerberos realm (1.6.3), Windows XP SP3
clients in AD and two-way trust configured. Accessing AD resources from
Linux clients work perfectly.
Accessing resources in the MIT Kerberos realm from Windows fails more
often than not. Lots of packet sniffing shows
023
E miguel.sand...@arcelormittal.com
www.arcelormittal.com/gent
-Oorspronkelijk bericht-
Van: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] Namens Bjoern
Tore Sund
Verzonden: vrijdag 22 mei 2009 11:05
Aan: kerberos@mit.edu
Onderwerp: UDP/TCP problem in cross-realm
023
E miguel.sand...@arcelormittal.com
www.arcelormittal.com/gent
-Oorspronkelijk bericht-
Van: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] Namens Bjoern
Tore Sund
Verzonden: vrijdag 22 mei 2009 11:05
Aan: kerberos@mit.edu
Onderwerp: UDP/TCP problem in cross-realm
: vrijdag 22 mei 2009 11:05
Aan: kerberos@mit.edu
Onderwerp: UDP/TCP problem in cross-realm authentication
We have linux clients in an MIT Kerberos realm (1.6.3), Windows XP SP3
clients in AD and two-way trust configured. Accessing AD resources from
Linux clients work perfectly
: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of
Bjoern Tore Sund
Sent: Friday, May 22, 2009 2:44 AM
To: miguel.sand...@arcelormittal.com
Cc: kerberos@mit.edu
Subject: Re: UDP/TCP problem in cross-realm authentication
miguel.sand...@arcelormittal.com wrote:
Moreover, do you
AM
To: miguel.sand...@arcelormittal.com
Cc: kerberos@mit.edu
Subject: Re: UDP/TCP problem in cross-realm authentication
miguel.sand...@arcelormittal.com wrote:
Moreover, do you even see the KRB5KRB_ERR_RESPONSE_TOO_BIG reply from the
KDC?
The MIT KDC doesn't seem to see the fragmented UDP
Hi,
Does Heimdal (open source implementation of Kerberos V), support
cross-realm authentication by a service that is delegated to obtain
credentials on behalf of a client?
Following is the use case:
1. Client delegates authentication of credentials to a service
2. The service how
.
-Original Message-
From: Douglas E. Engert [mailto:[EMAIL PROTECTED]
Sent: Friday, November 21, 2008 4:51 PM
To: Duffey, Blake A.
Cc: kerberos@mit.edu
Subject: Re: MIT Kerberos cross realm authentication with Windows Active
Directory
Duffey, Blake A. wrote:
I have
I have encountered a peculiar problem and would like to know if anyone has
seen it (or can duplicate it) and has a work around.
I have a cross-realm trust between a Windows 2008 Active Directory and an
MIT Kerberos Realm. The resources (apache, sshd, postgresql) are in the MIT
realm and the
Duffey, Blake A. wrote:
I have encountered a peculiar problem and would like to know if anyone has
seen it (or can duplicate it) and has a work around.
I have a cross-realm trust between a Windows 2008 Active Directory and an
MIT Kerberos Realm. The resources (apache, sshd, postgresql)
Hi,
Recently, I've set up an MIT kerberos realm. In this realm, there are a
few users, and an Apache HTTP server that I've successfully done
Kerberos-authentication against using mod_auth_kerb and firefox on the
client-side. So far so good.
Now when I try to do cross-realm authentication from
Wouter Verhelst [EMAIL PROTECTED] writes:
Now when I try to do cross-realm authentication from a Windows host, it
does not seem to work. The steps I've taken include:
- set up cross-realm authentication: I have a one-way incoming trust
relationship in Windows, and created a
krbtgt
:59 AM
Subject: Re: cross-realm authentication works only with .k5login
Hi Markus (thanks a lot for your suggestions),
it is exactly how I setted up the two machine master and slave.
The problem is that on the same machine I can SSO with both REALM. But
if I try to SSO from one machine, let's
to put a trust relationship between the two REALMS, so I did
the following on each KDC:
addprinc -pw krbtgt/SOLARIS2 krbtgt/[EMAIL PROTECTED]
addprinc -pw krbtgt/SOLARIS krbtgt/[EMAIL PROTECTED]
In order to test cross realm authentication I tryed to single sign on
into a machine based
/[EMAIL PROTECTED]
In order to test cross realm authentication I tryed to single sign on
into a machine based on SOLARIS realm, with a ticket of SOLARIS2. The
SSO doesn't work, however if I run klist after trying SSO, it
yields:
[EMAIL PROTECTED] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default
krbtgt/SOLARIS krbtgt/[EMAIL PROTECTED]
In order to test cross realm authentication I tryed to single sign on
into a machine based on SOLARIS realm, with a ticket of SOLARIS2. The
SSO doesn't work, however if I run klist after trying SSO, it
yields:
[EMAIL PROTECTED] ~]# klist
Ticket cache
and the same for the realm SOLARIS2.
Now, i want to obtain that with a ticket for SOLARIS realm i can
authenticate on SOLARIS2 realm based machine.
I putted in the KDC the realm krbtgt/[EMAIL PROTECTED] but it doesn't work,
reading guide on cross realm authentication they said that adding
In regard to: Re: Problems with kadmind, kpasswd and cross-realm...:
That is why I asked earlier if it was safe to use multiple kadmind daemons
against the same database. If it is safe, then I can launch multiple
processes (one for each realm). However, it if isn't safe, I'm assuming that
PROTECTED]
Newsgroups: comp.protocols.kerberos
To: kerberos@mit.edu
Sent: Tuesday, September 25, 2007 2:05 PM
Subject: Re: Problems with kadmind, kpasswd and cross-realm authentication
I can reproduce the problem on my Suse 10.2 box with krb5-1.5.1-23.6
installed. Depending how I start kadmind
[EMAIL PROTECTED]
Newsgroups: comp.protocols.kerberos
To: kerberos@mit.edu
Sent: Tuesday, September 25, 2007 2:05 PM
Subject: Re: Problems with kadmind, kpasswd and cross-realm authentication
I can reproduce the problem on my Suse 10.2 box with krb5-1.5.1-23.6
installed. Depending how I start
] [mailto:[EMAIL PROTECTED]
Behalf Of Markus Moeller
Sent: Monday, September 24, 2007 4:15 PM
To: kerberos@mit.edu
Subject: Re: Problems with kadmind, kpasswd and cross-realm
authentication
That looks to me like a bug in the kdc code. Which release do you use ?
Markus
Anthony Brock [EMAIL
-Original Message-
Any ideas?
The man page states that kadmind should be able to change
passwords for any
realms that have an associated kadmin/changepw@REALM and
kadmin/admin@REALM principal. Is this still true? Or has
support for this
functionality been dropped? If not, what
What do you see when you capture the traffic with wireshark on port 88 and
464 ? Do you see the correct kadmin/[EMAIL PROTECTED] tickets ?
Markus
Anthony Brock [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
-Original Message-
Any ideas?
The man page states that kadmind
attaching a text export of the packet capture from wireshark.
Tony
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Markus Moeller
Sent: Monday, September 24, 2007 1:39 PM
To: kerberos@mit.edu
Subject: Re: Problems with kadmind, kpasswd and cross-realm
PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Markus Moeller
Sent: Monday, September 24, 2007 1:39 PM
To: kerberos@mit.edu
Subject: Re: Problems with kadmind, kpasswd and cross-realm
authentication
What do you see when you capture the traffic with wireshark on
port 88 and
464 ? Do you see
-Original Message-
kpasswd doesn't work on the KDC. It only works for the initial realm even
when the kpasswd command is issued on the KDC. That's why I'm a little
baffled as to how to proceed. I've read the following in the kadmind man
page:
... SNIP ...
An excerpt of these files
Anthony Brock [EMAIL PROTECTED] wrote:
No, the entire network is on a single, private IP address range. In
fact, I'm trying these particular commands on the same host that
kadmind is running on. However, the behavior is identical from a
remote host.
Does kpasswd work on the KDC itself for
-Original Message-
Anthony Brock [EMAIL PROTECTED] wrote:
No, the entire network is on a single, private IP address range. In
fact, I'm trying these particular commands on the same host that
kadmind is running on. However, the behavior is identical from a
remote host.
Does
Just to clarify. Are you attempting to serve two realms
from the same KDC?
Anthony Brock wrote:
# klist -k FILE:/etc/krb5kdc/kadm5.keytab | egrep
'STERLINGCGI.COM|SCGROUP.ORG'
3 kadmin/[EMAIL PROTECTED]
3 kadmin/[EMAIL PROTECTED]
3 kadmin/[EMAIL PROTECTED]
3 kadmin/[EMAIL
Brock [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 04, 2007 4:03 PM
To: kerberos@mit.edu
Subject: Problems with kadmind, kpasswd and cross-realm authentication
I have created several cross-realm trusts on a test server. At
this point, nearly everything is working properly. However, users
Anthony Brock [EMAIL PROTECTED] wrote:
I have created several cross-realm trusts on a test server. At this
point, nearly everything is working properly. However, users are
unable to change their passwords unless their account is in the
initial domain. Users see the following when attempting it
-Original Message-
Anthony Brock [EMAIL PROTECTED] wrote:
I have created several cross-realm trusts on a test server. At this
point, nearly everything is working properly. However, users are
unable to change their passwords unless their account is in the
initial domain. Users see
and userids have to be unique in both realms.
Regards
Markus
Rohit Kumar Mehta [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi guys, I have a pretty basic question about how cross-realm
authentication works with ssh. Can kerberized logins work when your TGT
is not from the default
Hi guys, I have a pretty basic question about how cross-realm
authentication works with ssh. Can kerberized logins work when your TGT
is not from the default realm (as specified by /etc/krb5.conf)
I set up 2 MIT KDCs using Ubuntu server (dapper) each in a different
realm (say REALM1
Rohit Kumar Mehta wrote:
Hi guys, I have a pretty basic question about how cross-realm
authentication works with ssh. Can kerberized logins work when your TGT
is not from the default realm (as specified by /etc/krb5.conf)
I set up 2 MIT KDCs using Ubuntu server (dapper) each
Rohit Kumar Mehta [EMAIL PROTECTED] writes:
On my client (also running the same version of Ubuntu with libpam_krb5),
I configured ssh for gssapi, and installed the keytab with the principal
host/[EMAIL PROTECTED]. I was able to kinit [EMAIL PROTECTED] and
ssh to cselin12.REALM1 and login
On Aug 21, 5:36pm, Douglas E. Engert wrote:
} Subject: Re: Windows GSSAPI ssh connection via cross-realm authentication
Good day to everyone, hope the end of the week is going well.
Jason Mogavero wrote:
Ok, I should note that adding a .k5login file to the home directory of the
user I
Ok, I should note that adding a .k5login file to the home directory of the
user I want to log in as did work. However, this setup won't work for us in
the long run.
The ultimate goal is to have tech support reps be able to ssh into our
multitude of hosted web servers to perform basic
Jason:
I think you misunderstand the role of Kerberos here. Kerberos is being
using to authenticate the user by name. If the SSH service is in realm
A.EXAMPLE.COM and the user is in realm B.EXAMPLE.COM, the after
successful authentication the SSH service knows the name as something
like [EMAIL
Do you have a .k5login file in the home directory on the
machine with the sshd? It should list the principals that
are allowed to access this unix account.
Note the return codes from the mm_answer_gss_userok is 1 when it
worked, 0 when it did not. So it looks like the gss authenticated you
but
There is no .k5login file in the home directory...though the user account
does exist on the machine, eventually the user database is going be stored
on LDAP and there will not be individual user accounts on the ssh servers.
Shouldn't the ACL take precedence anyway? I don't have a .k5login in
Jason Mogavero wrote:
Ok, I should note that adding a .k5login file to the home directory of the
user I want to log in as did work. However, this setup won't work for
us in
the long run.
Good.
The ultimate goal is to have tech support reps be able to ssh into our
multitude of hosted
Jason Mogavero wrote:
There is no .k5login file in the home directory...though the user account
does exist on the machine, eventually the user database is going be stored
on LDAP and there will not be individual user accounts on the ssh servers.
Shouldn't the ACL take precedence anyway?
Jason Mogavero wrote:
Hello all,
I am implementing a Kerberos/GSSAPI solution in a test environment and I
am experiencing some issues with allowed windows ssh clients to be granted
acess to the ssh server.
The background:
Windows AD is primary kdc with realm name KDCTEST.COM and
Unfortunately, the network trace you provided is useless, because it
decodes Ethernet/IP/UDP, then does not show what matters: the contents of
the Kerberos messages in the UDP packets. Try something like Ethereal,
which can decode those as well.
--
Richard Silverman
[EMAIL PROTECTED]
I've set up a windows 2003 AD, a two-way transitive trust with an MIT
Kerberos server, run ksetup to add the realm of the kerb5 server, and
have created accounts on both the kerberos server and in the active
directory that allow me to successfully log in individually. I have
set the active
the other domain as just the user of the
domain
in which the kdc is installed. please do clear my doubt. Looking for an
answer
ASAP.
Thanking you,
Zaheer.
Cross-realm authentication implies two KDCs: a realm is by definition the
set of principals who share keys with the same KDC. A trusts B
HELLO ALL,
This is zaheer here, i am working on the cross domain authentication using
kerberos, i have configured two domains, and i am in a dilemma as to install 2
KDC in both the domains or is it sufficient for the kdc to be installed in only
one single domain, and register the other domain
and key in its
database instead.
Note that if you want cross realm in the other direction, you would
create krbtgt/[EMAIL PROTECTED] in both.
If my understanding is correct, to establish cross-realm authentication we
need to follow these steps :
1 - Admin in EXAMPLE.COM creates the principal
On Apr 22, 2005, at 00:20, Darren Hoch wrote:
I am giving a pretty lengthy presentation on Sun Kerberos next week
and I want to make sure I have the correct understanding of how
cross-realm authentication works.
Well, your understanding probably isn't as confused as some bits of
your
Hi ,
I would like to thank you, Ken, for these explanations ,
and sorry to be a third man, I have some questions and comments about
cross-realm authentication.
* Ken Raeburn ([EMAIL PROTECTED]) wrote:
The telnet is to a host named foo.example1.com, in Kerberos realm
EXAMPLE1.COM (which
Thanks to all of you guys for making this an exciting thread. I have
learned a great deal about cross realm authentication and it will help me
approach my customers much more prepared.
On another note (and with gratitude), I wrote up a tutorial on how to
integrate Solaris 9 Kerberos clients
Darren Hoch wrote:
Hello Kerberos Gurus,
I am giving a pretty lengthy presentation on Sun Kerberos next week
and I want to make sure I have the correct understanding of how
cross-realm authentication works.
Darren - if you have any other questions about the Solaris Kerberos
implementation
database instead.
Note that if you want cross realm in the other direction, you would
create krbtgt/[EMAIL PROTECTED] in both.
If my understanding is correct, to establish cross-realm authentication we
need to follow these steps :
1 - Admin in EXAMPLE.COM creates the principal krbtgt
Hello Kerberos Gurus,
I am giving a pretty lengthy presentation on Sun Kerberos next week and
I want to make sure I have the correct understanding of how cross-realm
authentication works.
Domain1: EXAMPLE.COM
Domain2: EXAMPLE1.COM
1) The user [EMAIL PROTECTED] wants to telnet to
host/[EMAIL
On Friday, April 01, 2005 07:23:37 PM -0800 Darren Hoch
[EMAIL PROTECTED] wrote:
kadmin: lisprincs
snip
krbtgt/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
The second components of each of these principal names must exactly match
the name of the realm involved, including
Hello All,
Thanks Jeffery. I deleted the old krbtgt principals and added the
following on each host:
krbtgt/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
I am almost there. When user darren now tries to telnet (kerberized)
from a host in realm EXAMPLE.COM to a host in EXAMPLE1.COM, the
Hi everyone,
I'm trying to get cross-realm authentication to work between a Windows
2000 domain (realm WIN.COM) and
a MIT KDC (realm i5.COM). I've set up the cross-realm trust on both
systems. The client is Windows 2000 Pro and
is a member of the Windows domain. On the client and Win KDC site I
On Jul 2, 10:23am, Tillman Hodgson wrote:
} Subject: Re: Cross-Realm authentication
Apologies for a bit off topic.
Truly, we have more issues with designing portable authorization
data than we do with authentication.
We are focused on developing GPL based solutions in this space.
Check http
, one of
the security experts said the following:
Expert: You can't put your SSO in production, because Kerberos cross realm
authentication doesn't work!
Me: Is it an issues in Microsoft Kerberos?
Expert: No. The Kerberos protocol has been so poorly designed, that
cross-realm authentication just
Expert: You can't put your SSO in production, because Kerberos cross realm
authentication doesn't work!
Me: Is it an issues in Microsoft Kerberos?
Expert: No. The Kerberos protocol has been so poorly designed, that
cross-realm authentication just doesn't work at all. Maybe Microsoft has
On Fri, Jul 02, 2004 at 10:47:56AM -0400, Ken Hornstein wrote:
Expert: You can't put your SSO in production, because Kerberos cross realm
authentication doesn't work!
Me: Is it an issues in Microsoft Kerberos?
Expert: No. The Kerberos protocol has been so poorly designed, that
cross-realm
: Re: Cross-Realm authentication
Expert: You can't put your SSO in production, because Kerberos cross realm
authentication doesn't work!
Me: Is it an issues in Microsoft Kerberos?
Expert: No. The Kerberos protocol has been so poorly designed
I am thinking of having Kerberos cross realm authentication on my Unix
server ldap authorisation. What happens if I have the same username for
different users in the two domains (e.g. [EMAIL PROTECTED] and [EMAIL PROTECTED]) ?
Does
pam_ldap sent the domain details to the ldap server or only
It's possible, although you'll either need to modify the .k5login
files or hack the code. If you are using MIT Kerberos you want the patch from bug
#957.
This patch will be in the next major release of MIT Kerberos.
Kerberos mailing list
Thank you for pointing that out Jeff !!
But a little correction: Heimdal does support
Cross-realm referral.
Cheers,
lara
--- Jeffrey Hutzelman [EMAIL PROTECTED] wrote:
On Tuesday, March 30, 2004 06:13:20 -0800 Lara
Adianto
[EMAIL PROTECTED] wrote:
I have a doubt on the following
Hello,
I have a question about the cross-realm authentication (Kerberos Realm Win2K)
My scenario is as follows:
a user using a Win2K professional machine authenticates to a Kerberos Realm. This user
then wants to access resources in a Win2K domain. I believe that this is possible
You cannot use kdb5_util load/dump to move principals between realms
with different master keys. That might be your problem.
I'd recommend deleting the two principals for the cross realm keys and
recreating them with known passwords on both systems.
I have two working realms: LAT and RUZ. I created principals
krbtgt/[EMAIL PROTECTED] and krbtgt/[EMAIL PROTECTED]. I used kdb5_util -r RUZ dump
datatrans krbtgt/[EMAIL PROTECTED] krbtgt/[EMAIL PROTECTED] and kdb5_util -r LAT load
-update datatrans to transfer these principles from one realm to
At our site we have principals (user accounts) in a Windows 2000 AD domain,
lets call this realm WIN.AD. I have configured Kerberos on my workstation
and can get my krbtgt from the AD using my account--so far so good.
I have created a second realm for my servers, lets call this realm
NOT.WIN.AD,
i have users logging in to a win2k domain using their kerberos principals
from a different realm (mit krb5-1.3.1). everything works as expected using
single des, but if i try to use rc4-hmac first pre-authentication fails, then
if i turn off the requires_preauth bits for the user's principal as
CJ Keist wrote:
Hello,
Reading the docs on cross realm authentication is making me go
crossed eyed ;). I'll try my best to explain what it is I'm wanting to
do with cross realm authentication.
We have two realms 1) COLOSTATE.EDU and 2) ENGR.COLOSTATE.EDU (my
realm). The top realm
On Mon, Aug 18, 2003 at 10:59:53AM -0600, CJ Keist wrote:
[capaths]
ENGR.COLOSTATE.EDU = {
COLOSTATE.EDU = .
}
Do you also have the relevant keys for cross-realm authentication
created in both realms?
-T
--
Page xxviii: More than any other computer
, August 18, 2003, at 11:51 AM, Douglas E. Engert wrote:
CJ Keist wrote:
Hello,
Reading the docs on cross realm authentication is making me go
crossed eyed ;). I'll try my best to explain what it is I'm wanting
to
do with cross realm authentication.
We have two realms 1) COLOSTATE.EDU
for cross-realm authentication
created in both realms?
-T
--
Page xxviii: More than any other computer system today, Unix will repay
every moment that you spend learning and experimenting.
- Harley Hahn, _The Unix Companion_
Kerberos mailing list
CJ == CJ Keist [EMAIL PROTECTED] writes:
CJ If I understand your message here, then Kerberos right now is
CJ not capable of handling this setup. In that a master realm
CJ that holds just user principals, with sub realms holding host
CJ principals cannot authenticate a user
Tillman wrote:
Host Pluto is my MIT KDC. Host Pmax is a Heimdal KDC I'm trying to set
up a bi-drectional cross realm trust with.
I've read FAQ2.15, but I'm still running into problems. Here's what I
have so far:
On host Pluto:
kadmin.local: listprincs kr*
krbtgt/[EMAIL PROTECTED]
Tillman wrote:
On Wed, May 28, 2003 at 04:19:40PM -0600, Tillman wrote:
The result of a cross realm Kerberized telnet:
$ telnet -x -k SMITHCLAN.CA -l root calvin.smithclan.ca
The realm name looks wrong, see previous note, and see below.
Trying 192.168.8.2...
Connected to
On Thu, May 29, 2003 at 09:38:36AM -0500, Douglas E. Engert wrote:
The realm name looks wrong, see previous note, and see below.
That was indeed the problem. Thanks for you help!
-T
--
Special knowledge can be a terrible disadvantage if it leads you too far along
a path that you cannot
1 - 100 of 111 matches
Mail list logo