[Freeipa-users] Cross-Realm authentification

[Alexander Bokovoy]

On Wed, 03 Dec 2014, Andreas Ladanyi wrote:
>Hi,
>
>iam trying to setup a cross-realm relationship.
>
>Generated krbtgt cross-realm principals on both KDCs with the same
>password and kvno:
>
>krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5)
>krbtgt/REALM_A at REALM_B
>
>getprinc on REALM_A KDC for principal krbtgt/REALM_B at REALM_A:
>
>Number of keys: 4
>Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
>Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
>Key: vno 1, des3-cbc-sha1, Version 5
>Key: vno 1, arcfour-hmac, Version 5
>MKey: vno 1
>
>getprinc on REALM_A KDC for principal krbtgt/REALM_A at REALM_B:
>
>Number of keys: 4
>Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
>Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
>Key: vno 1, des3-cbc-sha1, Version 5
>Key: vno 1, arcfour-hmac, Version 5
>MKey: vno 1
>
>getprinc on REALM_B KDC for principal krbtgt/REALM_B at REALM_A:
>
>Number of keys: 6
>Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>Key: vno 1, DES cbc mode with CRC-32, no salt
>Key: vno 1, DES cbc mode with RSA-MD5, Version 4
>Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
>Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
>Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
>MKey: vno 1
>
>getprinc on REALM_B KDC for principal krbtgt/REALM_A at REALM_B:
>
>Number of keys: 6
>Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>Key: vno 1, DES cbc mode with CRC-32, no salt
>Key: vno 1, DES cbc mode with RSA-MD5, Version 4
>Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
>Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
>Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
>MKey: vno 1
>
>
>I set up the [capaths] section in the krb5.conf client config:
>
>[capaths]
>REALM_A = {
>    REALM_B = .
>    }
>REALM_B = {
>    REALM_A = .
>    }
You need this section on both realm's KDCs.


-- 
/ Alexander Bokovoy