[Freeipa-users] Unable to setup FreeIPA and MIT kerberos cross domain trust

Sumit Bose sbose at redhat.com
Wed Apr 13 08:42:42 UTC 2016 

On Tue, Apr 12, 2016 at 06:56:51PM -0700, Vivek Shrivastava wrote:
> Hi,
> 
> 
> I am trying to setup cross domain trust between FreeIPA and MIT Kerberos. I
> have already created krbtgt in the both FreeIPA and MIT Kerberos. I can
> successfully get Kerberos ticket from the both domains.However when I try

Which kind of tickets did you try, only TGTs or services tickets as
well? Have you tried

kinit user at TEST.COM
kvno server/host.test2.com at TEST.COM

i.e. to get a service ticket from TEST2.COM for a user from TEST.COM?
I'm asking because the error below "error Message is Integrity check on
decrypted field failed" looks a bit like the shared key in the
cross-realm TGTs (krbtgt/TEST2.COM at TEST.COM and
krbtgt/TEST.COM at TEST2.COM) are not the same.

HTH

bye,
Sumit

> to access Hadoop using the FreeIPA domain then I get this error in trace
> log. Wondering what is missing?
> 
> 
> Service ticket not found in the subject
> 
> >>> Realm doInitialParse: cRealm=[TEST.COM], sRealm=[TEST2.COM]
> 
> >>> Realm parseCapaths: no cfg entry
> 
> >>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/
> TEST2.COM at TEST.COM
> 
> Using builtin default etypes for default_tgs_enctypes
> 
> default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
> 
> >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
> 
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> 
> getKDCFromDNS using UDP
> 
> >>> KrbKdcReq send: kdc=test2company.com. UDP:88, timeout=30000, number of
> retries =3, #bytes=701
> 
> >>> KDCCommunication: kdc=test2company.com. UDP:88, timeout=30000,Attempt
> =1, #bytes=701
> 
> >>> KrbKdcReq send: #bytes read=637
> 
> >>> KdcAccessibility: remove test2company.com.:88
> 
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> 
> >>> Credentials acquireServiceCreds: global OK-AS-DELEGATE turned off at
> krbtgt/TEST2.COM at TEST.COM
> 
> >>> Credentials acquireServiceCreds: got tgt
> 
> >>> Credentials acquireServiceCreds: got right tgt
> 
> >>> Credentials acquireServiceCreds: obtaining service creds for nn/
> testcompany.com at TEST2.COM
> 
> Using builtin default etypes for default_tgs_enctypes
> 
> default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
> 
> >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
> 
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> 
> >>> KrbKdcReq send: kdc=testcompany.com UDP:88, timeout=30000, number of
> retries =3, #bytes=662
> 
> >>> KDCCommunication: kdc=testcompany.com UDP:88, timeout=30000,Attempt =1,
> #bytes=662
> 
> >>> KrbKdcReq send: #bytes read=150
> 
> >>> KdcAccessibility: remove testcompany.com
> 
> >>> KDCRep: init() encoding tag is 126 req type is 13
> 
> >>>KRBError:
> 
>          cTime is Sun Jun 01 13:55:49 EDT 1975 170877349000
> 
>          sTime is Sat Apr 09 15:01:16 EDT 2016 1460228476000
> 
>          suSec is 693381
> 
>          error code is 31
> 
>          error Message is Integrity check on decrypted field failed
> 
>          realm is TEST2.COM
> 
>          sname is nn/testcompany.com
> 
>          msgType is 30

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list