[Freeipa-users] Unable to setup FreeIPA and MIT kerberos cross domain trust

Vivek Shrivastava vivshrivastava at gmail.com
Wed Apr 13 01:56:51 UTC 2016 

Hi,


I am trying to setup cross domain trust between FreeIPA and MIT Kerberos. I
have already created krbtgt in the both FreeIPA and MIT Kerberos. I can
successfully get Kerberos ticket from the both domains.However when I try
to access Hadoop using the FreeIPA domain then I get this error in trace
log. Wondering what is missing?


Service ticket not found in the subject

>>> Realm doInitialParse: cRealm=[TEST.COM], sRealm=[TEST2.COM]

>>> Realm parseCapaths: no cfg entry

>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/
TEST2.COM at TEST.COM

Using builtin default etypes for default_tgs_enctypes

default etypes for default_tgs_enctypes: 18 17 16 23 1 3.

>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType

getKDCFromDNS using UDP

>>> KrbKdcReq send: kdc=test2company.com. UDP:88, timeout=30000, number of
retries =3, #bytes=701

>>> KDCCommunication: kdc=test2company.com. UDP:88, timeout=30000,Attempt
=1, #bytes=701

>>> KrbKdcReq send: #bytes read=637

>>> KdcAccessibility: remove test2company.com.:88

>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType

>>> Credentials acquireServiceCreds: global OK-AS-DELEGATE turned off at
krbtgt/TEST2.COM at TEST.COM

>>> Credentials acquireServiceCreds: got tgt

>>> Credentials acquireServiceCreds: got right tgt

>>> Credentials acquireServiceCreds: obtaining service creds for nn/
testcompany.com at TEST2.COM

Using builtin default etypes for default_tgs_enctypes

default etypes for default_tgs_enctypes: 18 17 16 23 1 3.

>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType

>>> KrbKdcReq send: kdc=testcompany.com UDP:88, timeout=30000, number of
retries =3, #bytes=662

>>> KDCCommunication: kdc=testcompany.com UDP:88, timeout=30000,Attempt =1,
#bytes=662

>>> KrbKdcReq send: #bytes read=150

>>> KdcAccessibility: remove testcompany.com

>>> KDCRep: init() encoding tag is 126 req type is 13

>>>KRBError:

         cTime is Sun Jun 01 13:55:49 EDT 1975 170877349000

         sTime is Sat Apr 09 15:01:16 EDT 2016 1460228476000

         suSec is 693381

         error code is 31

         error Message is Integrity check on decrypted field failed

         realm is TEST2.COM

         sname is nn/testcompany.com

         msgType is 30
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160412/4c5f5862/attachment.htm>

More information about the Freeipa-users mailing list