[38765] in Kerberos
Re: 'HANDLE_AUTHDATA' error when trying to setup Kerberos trust
daemon@ATHENA.MIT.EDU (Dmitri Pal)
Mon Jun 15 10:16:39 2020
MIME-Version: 1.0
In-Reply-To: <7176E09B-19FD-4F47-A47B-385AD30123FF@unimelb.edu.au>
From: Dmitri Pal <dpal@redhat.com>
Date: Mon, 15 Jun 2020 09:00:50 -0400
Message-ID: <CAOPuEqWWVtxaC8=795iitbARzOF_eQQ0-YxTqC8_Hd073YJniQ@mail.gmail.com>
To: Robert Sturrock <rns@unimelb.edu.au>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Mon, Jun 15, 2020 at 2:39 AM Robert Sturrock <rns@unimelb.edu.au> wrote:
> Hi All,
>
> I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA
> installation, such that user TGTs from AD can be used to access resources
> in the IPA realm.
>
> I followed some (non-IPA related) steps for setting up Kerberos trusts
> between AD and MIT Kerberos - essentially creating a common TGT principal
> in both systems with a common password. This works to a point (ie. I can
> get the TGT for IPA using the AD TGT), but when I try to fetch a service
> ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.
>
Was there any reason not to follow IPA steps for setting trusts?
They are very straightforward.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management
>
> Here is what I’m seeing:
>
> (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')
>
> # Get AD TGT:
> Password for rns@STAFF.LOCALREALM: XXXXXXXXX
>
> $ klist
> Ticket cache: KEYRING:persistent:10846:10846
> Default principal: rns@STAFF.LOCALREALM
>
> Valid starting Expires Service principal
> 11/06/20 13:34:19 11/06/20 23:34:19
> krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM
> renew until 12/06/20 13:34:18
>
> # Use AD TGT to get an IPA TGT:
> $ kvno krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM
> krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM: kvno = 0
>
> $ klist
> Ticket cache: KEYRING:persistent:10846:10846
> Default principal: rns@STAFF.LOCALREALM
>
> Valid starting Expires Service principal
> 11/06/20 13:34:24 11/06/20 23:34:19
> krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM
> renew until 12/06/20 13:34:18
> 11/06/20 13:34:19 11/06/20 23:34:19
> krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM
> renew until 12/06/20 13:34:18
>
> # Try to fetch an IPA service ticket:
> $ kvno host/palladium1.localdomain@PALLAS.LOCALREALM
> kvno: KDC returned error string: HANDLE_AUTHDATA while getting
> credentials for host/palladium1.localdomain@PALLAS.LOCALREALM
>
> Can anyone provide some idea as to what’s going on here and how I resolve
> this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not
> able to find a lot of documentation explaining this.
>
> Thanks!
>
> Robert.
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Thank you,
Dmitri Pal
Director, Software Engineering
Red Hat Enterprise Linux Platform Security and Identity Management
dpal@redhat.com
<https://red.ht/sig>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
