[Freeipa-users] Cross-Realm authentification

Andreas Ladanyi andreas.ladanyi at kit.edu
Wed Dec 3 13:37:55 UTC 2014 

Hi,

iam trying to setup a cross-realm relationship.

Generated krbtgt cross-realm principals on both KDCs with the same
password and kvno:

krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5)
krbtgt/REALM_A at REALM_B

getprinc on REALM_A KDC for principal krbtgt/REALM_B at REALM_A:

Number of keys: 4
Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
Key: vno 1, des3-cbc-sha1, Version 5
Key: vno 1, arcfour-hmac, Version 5
MKey: vno 1

getprinc on REALM_A KDC for principal krbtgt/REALM_A at REALM_B:

Number of keys: 4
Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
Key: vno 1, des3-cbc-sha1, Version 5
Key: vno 1, arcfour-hmac, Version 5
MKey: vno 1

getprinc on REALM_B KDC for principal krbtgt/REALM_B at REALM_A:

Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
MKey: vno 1

getprinc on REALM_B KDC for principal krbtgt/REALM_A at REALM_B:

Number of keys: 6
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD5, Version 4
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
MKey: vno 1


I set up the [capaths] section in the krb5.conf client config:

[capaths]
REALM_A = {
    REALM_B = .
    }
REALM_B = {
    REALM_A = .
    }



TEST for the REALM_B (FreeIPA) System:

1. kinit user: get a krbtgt/REALM_B at REALM_B

2. kvno krbtgt/REALM_A at REALM_B: get cross-realm ticket
krbtgt/REALM_A at REALM_B: kvno = 1

3. kvno host/( FQDN of host in REALM_A )@REALM_A:
kvno: KDC returned error string: PROCESS_TGS while getting credentials
for host/( FQDN of host in REALM_A )@REALM_A.

4. kvno user at REALM_A:
kvno: KDC returned error string: PROCESS_TGS while getting credentials
for user at REALM_A.


Because i get a cross realm ticket in step 2 iam the opinion i setup the
cross realm ticket correctly on both sides. I think only step 3/4 is the
problem because i dont get tickets for a user/host principal in the REALM_A


Any ideas ?

Andreas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5306 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141203/df30b7bb/attachment.p7s>

More information about the Freeipa-users mailing list