[28219] in Kerberos
cross realm trust
daemon@ATHENA.MIT.EDU (Matthew B. Brookover)
Tue Aug 7 18:55:34 2007
From: "Matthew B. Brookover" <mbrookov@mines.edu>
To: kerberos@mit.edu
Date: Tue, 07 Aug 2007 16:55:22 -0600
Message-Id: <1186527322.3449.34.camel@merlin.Mines.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I am trying to get two realms to trust each other. Both realms are in
the Mines.EDU domain. The first realm is production systems and is
named MINES.EDU, the second realm is for development systems and named
DEVMINES.EDU. The documentation that I have read only discusses the
case where there is one Kerberos realm per domain. In this case I have
two Kerberos realms in one domain.
The client (merlin.Mines.EDU) is in the MINES.EDU realm and the server
(oneoften.Mines.EDU) is in the DEVMINES.EDU realm. Both of the Kerberos
KDCs are running Kerberos 1.6.1 with the recent patches. I am using
OpenSSH for testing, any host in MINES.EDU can ssh to any other host in
MINES.EDU and login without a password, and any host in DEVMINES.EDU can
ssh to any other host in DEVMINES.EDU and login without a password using
Kerberos to authenticate.
After some digging through the documentation, I learned that the domain
realm section of the krb5.conf file could be used to map either a host
or a domain name to a realm name. After some tinkering, my client
(merlin.Mines.EDU) has a domain realm like this:
[domain_realm]
oneoften.mines.edu = DEVMINES.EDU
oneoften.Mines.EDU = DEVMINES.EDU
oneoften = DEVMINES.EDU
mines.edu = MINES.EDU
.mines.edu = MINES.EDU
Mines.EDU = MINES.EDU
.Mines.EDU = MINES.EDU
And my server (oneoften.Mines.EDU) has this:
[domain_realm]
merlin.mines.edu = MINES.EDU
merlin.Mines.EDU = MINES.EDU
merlin = MINES.EDU
.Mines.EDU = DEVMINES.EDU
Mines.EDU = DEVMINES.EDU
.mines.edu = DEVMINES.EDU
mines.edu = DEVMINES.EDU
My capaths section on merlin and oneoften look like this:
[capaths]
MINES.EDU = {
DEVMINES.EDU = MINES.EDU
}
DEVMINES.EDU = {
MINES.EDU = DEVMINES.EDU
}
When I ssh from Merlin to oneoften, the KDC in MINES.EDU logs this:
Aug 07 16:13:31 immortal.Mines.EDU krb5kdc[2719](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23 ses=18}, mbrookov@MINES.EDU for krbtgt/DEVMINES.EDU@MINES.EDU
Aug 07 16:13:31 immortal.Mines.EDU krb5kdc[2719](info): TGS_REQ (1 etypes {18}) 138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23 ses=18}, mbrookov@MINES.EDU for krbtgt/MINES.EDU@MINES.EDU
And the KDC for DEVMINES.EDU logs this:
Aug 07 16:13:31 sixoften.Mines.EDU krb5kdc[5385](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 138.67.4.11: ISSUE: authtime 1186524790, etypes {rep=18 tkt=23 ses=18}, mbrookov@MINES.EDU for host/oneoften.mines.edu@DEVMINES.EDU
It looks to me like that Merlin goes to the kdc, in the MINES.EDU realm,
gets the krbtgt/DEVMINES.EDU@MINES.EDU ticket, then goes to the KDC for
the DEVMINES.EDU realm and gets the ticket for
host/oneoften.mines.edu@DEVMINES.EDU.
But, ssh still asks for a password.
[mbrookov@merlin ~]$ kdestroy ; kinit ; klist -f
Password for mbrookov@MINES.EDU:
Ticket cache: FILE:/tmp/krb5cc_5467_V9EjEj
Default principal: mbrookov@MINES.EDU
Valid starting Expires Service principal
08/07/07 16:13:10 08/08/07 07:13:10 krbtgt/MINES.EDU@MINES.EDU
renew until 08/08/07 16:13:08, Flags: FRIA
Kerberos 4 ticket cache: /tmp/tkt5467
klist: You have no tickets cached
[mbrookov@merlin ~]$ ssh oneoften
mbrookov@oneoften's password:
Permission denied, please try again.
mbrookov@oneoften's password:
Permission denied, please try again.
mbrookov@oneoften's password:
Received disconnect from 138.67.130.65: 2: Too many authentication failures for mbrookov
[mbrookov@merlin ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_5467_V9EjEj
Default principal: mbrookov@MINES.EDU
Valid starting Expires Service principal
08/07/07 16:13:10 08/08/07 07:13:10 krbtgt/MINES.EDU@MINES.EDU
renew until 08/08/07 16:13:08, Flags: FRIA
08/07/07 16:13:31 08/08/07 07:13:10 krbtgt/DEVMINES.EDU@MINES.EDU
renew until 08/08/07 16:13:08, Flags: FRAT
08/07/07 16:13:31 08/08/07 07:13:10 host/oneoften.mines.edu@DEVMINES.EDU
renew until 08/08/07 16:13:08, Flags: FRAT
Kerberos 4 ticket cache: /tmp/tkt5467
klist: You have no tickets cached
[mbrookov@merlin ~]$
I have never set up a cross realm relationship between two realms, but
the logs and the tickets on the client look correct to me.
I have double checked the password for the krbtgt/DEVMINES.EDU@MINES.EDU
principals in both realms and am sure they match. Just in case I set up
the krbtgt/MINES.EDU@DEVMINES.EDU principals in both realms. All 4
principals used to set up the cross realm trust have the same key
version number, passwords, etc.
The realms section of /etc/krb5.conf has both the MINES.EDU realm and
the DEVMINES.EDU realm.
Merlin is running Fedora 7 with all of the patches and Oneoften is
running Red Hat Enterprise Linux 4 update 5 with all of the patches.
I have ran out of straws to grasp at. Does any body have any ideas?
thank you
Matt
mbrookov@mines.edu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos