[Freeipa-users] Cross-Realm authentification

Andreas Ladanyi andreas.ladanyi at kit.edu
Thu Dec 4 09:25:15 UTC 2014 

Am 03.12.2014 um 14:53 schrieb Alexander Bokovoy:
> On Wed, 03 Dec 2014, Andreas Ladanyi wrote:
>> Hi,
>>
>> iam trying to setup a cross-realm relationship.
>>
>> Generated krbtgt cross-realm principals on both KDCs with the same
>> password and kvno:
>>
>> krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5)
>> krbtgt/REALM_A at REALM_B
>>
>> getprinc on REALM_A KDC for principal krbtgt/REALM_B at REALM_A:
>>
>> Number of keys: 4
>> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
>> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
>> Key: vno 1, des3-cbc-sha1, Version 5
>> Key: vno 1, arcfour-hmac, Version 5
>> MKey: vno 1
>>
>> getprinc on REALM_A KDC for principal krbtgt/REALM_A at REALM_B:
>>
>> Number of keys: 4
>> Key: vno 1, aes256-cts-hmac-sha1-96, Version 5
>> Key: vno 1, aes128-cts-hmac-sha1-96, Version 5
>> Key: vno 1, des3-cbc-sha1, Version 5
>> Key: vno 1, arcfour-hmac, Version 5
>> MKey: vno 1
>>
>> getprinc on REALM_B KDC for principal krbtgt/REALM_B at REALM_A:
>>
>> Number of keys: 6
>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>> Key: vno 1, DES cbc mode with CRC-32, no salt
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 4
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
>> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
>> MKey: vno 1
>>
>> getprinc on REALM_B KDC for principal krbtgt/REALM_A at REALM_B:
>>
>> Number of keys: 6
>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>> Key: vno 1, DES cbc mode with CRC-32, no salt
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 4
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - No Realm
>> Key: vno 1, DES cbc mode with RSA-MD5, Version 5 - Realm Only
>> Key: vno 1, DES cbc mode with RSA-MD5, AFS version 3
>> MKey: vno 1
>>
>>
>> I set up the [capaths] section in the krb5.conf client config:
>>
>> [capaths]
>> REALM_A = {
>>    REALM_B = .
>>    }
>> REALM_B = {
>>    REALM_A = .
>>    }
> You need this section on both realm's KDCs.
>
>

I have done this now on all (2) KDCs without a restart of kerberos
service. The error message is the same like in my first mail.

-- 

Dipl.-Ing. (FH) Andreas Ladanyi

ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik
Karlsruher Institut für Technologie (KIT)

Am Fasanengarten 5, Gebäude 50.34, Raum 013
76131 Karlsruhe
Telefon: +49 721 608-43663

E-Mail: andreas.ladanyi at kit.edu

www.atis.informatik.kit.edu
www.kit.edu

KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5306 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141204/1ee46e64/attachment.p7s>

More information about the Freeipa-users mailing list