[31452] in Kerberos
Re: Kerberos service ticket issue!!!
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Sep 4 16:31:31 2009
Message-ID: <4AA174DE.7090800@anl.gov>
Date: Fri, 04 Sep 2009 15:13:18 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Priya B <priya9907@gmail.com>
In-Reply-To: <a974ac03-b8e0-423d-98f2-cc76ca437fee@x37g2000yqj.googlegroups.com>
Cc: srini.csit@gmail.com, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Priya B wrote:
> Thank you so much for your response!
>
> We modified the krb5.conf file (as below) and also switched from UDP
> to TCP. Now we're not getting any errors in the trace. But still we
> don't get the service ticket (same exception). In the trace for some
> reason, after the client gets the TGS response, the client closes the
> TCP connection, and never tries to get a service ticket. It is not
> querying regarding the service at all.
>
> Anyway, below are some answers to your questions:
>
> What version of Java?
>>>> 1.6
>
>
> Do you have cross realm setup between the two realms?
>>>> It should be there, because we have another application (based on SSPI) using which we are able to sign-in to the same service.
>
>
> Do you have the krb5.conf on the client setup for cross realm?
>>>> We have. Below is the conf file. Do let us know if it needs any corrections.
Note that Kerberos implementations just ignore unknown lines in the
krb5.conf, so you must be careful to get them correct.
>
> --------------------------------------------------------------
>
>
> [libdefaults]
> udp_preference_limit = 1
> default_realm = REALM1.COM
> dns_lookup_kdc = true
> [realms]
> REALM1.COM = {
> kdc = host1.realm1.com
> default_domain = realm1.com
>
> }
>
> REALM2.COM = {
>
> realm_type = WINNTv1
>
> ENC_TYPES_LIST = RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC
>
What are the above two lines? What documentation where you reading on how to
setup a krb5.conf for Java? And what is "WINNTv1"? "NT" implies a very old OS.
Windows 2000 was the first that I know of that supports Kerberos.
>
> kdc = {
>
> name = host2.realm2.com
> default_domain = .realm2.com
>
> protocol = TCP
>
> }
>
> }
>
>
>
> [domain_realm]
> .realm1.com = REALM1.COM
> .realm2.com =REALM2.COM
>
>
>
>
> [capaths]
> REALM1.COM = {
> REALM2.COM = .
> }
>
> REALM2.COM = {
> REALM1.COM = .
> }
>
>
> [logging]
>
>
> --------------------------------------------------------------
>
> Is one or both of the realms Window AD?
>>>> Shall confirm that soon.
>
>
> You appear to have done some tracing, but have not said where you are
> seeing these messages or how far along the process of getting tickets
> has gotten. i.e. client to client's KDC or client to server's KDC.
>>>> client to client's KDC
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos