[2612] in Kerberos
Kerberos 5 and Cross Realms
daemon@ATHENA.MIT.EDU (Carol Howard)
Mon Mar 1 12:49:30 1993
Date: Mon, 1 Mar 1993 12:22:23 -0500
From: choward@lonestar.webo.dg.com (Carol Howard)
To: kerberos@MIT.EDU
I have been trying to get the simple client/server (sim_client and
sim_server) provided in the V5 release to work across realms and have
been running into problems. I have the following principals defined:
REALM-1 (sim_client) REALM-2 (sim_server)
-------------------- --------------------
host/<realm-1 hostname>@realm-1 host/<realm-2 hostname>@realm-2
krbtgt/realm-2@realm-1 krbtgt/realm-1@realm-2
<sim_server service>/<realm-2 host>@realm-2
with krbtgt/realm-2@realm-1 and krbtgt/realm-1@realm-2 having the same
key. The principals host/<realm-2 hostname>@realm-2 and
<sim_server service>/<realm-2 host>@realm-2 are also in the v5srvtab.
My problems occur when the KDC (located on the host running the
sim_server) starts to process the authentication header in the TGS
request -- kdc_util.c/kdc_process_tgs_req -- the call to
kdc_get_server_key using the ticket in the authentication header
causes the KDC to give an "TGS_REQ: Server not found in Kerberos
database" error. The ticket in the authentication header has the
following information: realm = realm-1 and data = krbtgt/realm-2.
It is unclear to me where the actual problem lies: the authentication
header ticket information is incorrect, the KDC is not processing the
information correctly, or I haven't setup for cross-realms properly.
Any information or suggestions would be appreciated.
