[Freeipa-users] Unable to setup FreeIPA and MIT kerberos cross domain trust
Vivek Shrivastava
vivshrivastava at gmail.com
Wed Apr 13 01:56:51 UTC 2016
Hi,
I am trying to setup cross domain trust between FreeIPA and MIT Kerberos. I
have already created krbtgt in the both FreeIPA and MIT Kerberos. I can
successfully get Kerberos ticket from the both domains.However when I try
to access Hadoop using the FreeIPA domain then I get this error in trace
log. Wondering what is missing?
Service ticket not found in the subject
>>> Realm doInitialParse: cRealm=[TEST.COM], sRealm=[TEST2.COM]
>>> Realm parseCapaths: no cfg entry
>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/
TEST2.COM at TEST.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=test2company.com. UDP:88, timeout=30000, number of
retries =3, #bytes=701
>>> KDCCommunication: kdc=test2company.com. UDP:88, timeout=30000,Attempt
=1, #bytes=701
>>> KrbKdcReq send: #bytes read=637
>>> KdcAccessibility: remove test2company.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> Credentials acquireServiceCreds: global OK-AS-DELEGATE turned off at
krbtgt/TEST2.COM at TEST.COM
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: got right tgt
>>> Credentials acquireServiceCreds: obtaining service creds for nn/
testcompany.com at TEST2.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbKdcReq send: kdc=testcompany.com UDP:88, timeout=30000, number of
retries =3, #bytes=662
>>> KDCCommunication: kdc=testcompany.com UDP:88, timeout=30000,Attempt =1,
#bytes=662
>>> KrbKdcReq send: #bytes read=150
>>> KdcAccessibility: remove testcompany.com
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
cTime is Sun Jun 01 13:55:49 EDT 1975 170877349000
sTime is Sat Apr 09 15:01:16 EDT 2016 1460228476000
suSec is 693381
error code is 31
error Message is Integrity check on decrypted field failed
realm is TEST2.COM
sname is nn/testcompany.com
msgType is 30
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160412/4c5f5862/attachment.htm>
More information about the Freeipa-users
mailing list