[38764] in Kerberos
'HANDLE_AUTHDATA' error when trying to setup Kerberos trust between
daemon@ATHENA.MIT.EDU (Robert Sturrock)
Mon Jun 15 02:28:10 2020
From: Robert Sturrock <rns@unimelb.edu.au>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Mon, 15 Jun 2020 06:25:31 +0000
Message-ID: <7176E09B-19FD-4F47-A47B-385AD30123FF@unimelb.edu.au>
Content-Language: en-US
Content-ID: <823150D480775D46B38D777A3979D699@ausprd01.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi All,
I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA installation, such that user TGTs from AD can be used to access resources in the IPA realm.
I followed some (non-IPA related) steps for setting up Kerberos trusts between AD and MIT Kerberos - essentially creating a common TGT principal in both systems with a common password. This works to a point (ie. I can get the TGT for IPA using the AD TGT), but when I try to fetch a service ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.
Here is what I’m seeing:
(AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')
# Get AD TGT:
Password for rns@STAFF.LOCALREALM: XXXXXXXXX
$ klist
Ticket cache: KEYRING:persistent:10846:10846
Default principal: rns@STAFF.LOCALREALM
Valid starting Expires Service principal
11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM
renew until 12/06/20 13:34:18
# Use AD TGT to get an IPA TGT:
$ kvno krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM
krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM: kvno = 0
$ klist
Ticket cache: KEYRING:persistent:10846:10846
Default principal: rns@STAFF.LOCALREALM
Valid starting Expires Service principal
11/06/20 13:34:24 11/06/20 23:34:19 krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM
renew until 12/06/20 13:34:18
11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM
renew until 12/06/20 13:34:18
# Try to fetch an IPA service ticket:
$ kvno host/palladium1.localdomain@PALLAS.LOCALREALM
kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/palladium1.localdomain@PALLAS.LOCALREALM
Can anyone provide some idea as to what’s going on here and how I resolve this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not able to find a lot of documentation explaining this.
Thanks!
Robert.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
