[Freeipa-users] Unable to setup FreeIPA and MIT kerberos cross domain trust
Sumit Bose
sbose at redhat.com
Wed Apr 13 08:42:42 UTC 2016
On Tue, Apr 12, 2016 at 06:56:51PM -0700, Vivek Shrivastava wrote:
> Hi,
>
>
> I am trying to setup cross domain trust between FreeIPA and MIT Kerberos. I
> have already created krbtgt in the both FreeIPA and MIT Kerberos. I can
> successfully get Kerberos ticket from the both domains.However when I try
Which kind of tickets did you try, only TGTs or services tickets as
well? Have you tried
kinit user at TEST.COM
kvno server/host.test2.com at TEST.COM
i.e. to get a service ticket from TEST2.COM for a user from TEST.COM?
I'm asking because the error below "error Message is Integrity check on
decrypted field failed" looks a bit like the shared key in the
cross-realm TGTs (krbtgt/TEST2.COM at TEST.COM and
krbtgt/TEST.COM at TEST2.COM) are not the same.
HTH
bye,
Sumit
> to access Hadoop using the FreeIPA domain then I get this error in trace
> log. Wondering what is missing?
>
>
> Service ticket not found in the subject
>
> >>> Realm doInitialParse: cRealm=[TEST.COM], sRealm=[TEST2.COM]
>
> >>> Realm parseCapaths: no cfg entry
>
> >>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/
> TEST2.COM at TEST.COM
>
> Using builtin default etypes for default_tgs_enctypes
>
> default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
>
> >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>
> getKDCFromDNS using UDP
>
> >>> KrbKdcReq send: kdc=test2company.com. UDP:88, timeout=30000, number of
> retries =3, #bytes=701
>
> >>> KDCCommunication: kdc=test2company.com. UDP:88, timeout=30000,Attempt
> =1, #bytes=701
>
> >>> KrbKdcReq send: #bytes read=637
>
> >>> KdcAccessibility: remove test2company.com.:88
>
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>
> >>> Credentials acquireServiceCreds: global OK-AS-DELEGATE turned off at
> krbtgt/TEST2.COM at TEST.COM
>
> >>> Credentials acquireServiceCreds: got tgt
>
> >>> Credentials acquireServiceCreds: got right tgt
>
> >>> Credentials acquireServiceCreds: obtaining service creds for nn/
> testcompany.com at TEST2.COM
>
> Using builtin default etypes for default_tgs_enctypes
>
> default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
>
> >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>
> >>> KrbKdcReq send: kdc=testcompany.com UDP:88, timeout=30000, number of
> retries =3, #bytes=662
>
> >>> KDCCommunication: kdc=testcompany.com UDP:88, timeout=30000,Attempt =1,
> #bytes=662
>
> >>> KrbKdcReq send: #bytes read=150
>
> >>> KdcAccessibility: remove testcompany.com
>
> >>> KDCRep: init() encoding tag is 126 req type is 13
>
> >>>KRBError:
>
> cTime is Sun Jun 01 13:55:49 EDT 1975 170877349000
>
> sTime is Sat Apr 09 15:01:16 EDT 2016 1460228476000
>
> suSec is 693381
>
> error code is 31
>
> error Message is Integrity check on decrypted field failed
>
> realm is TEST2.COM
>
> sname is nn/testcompany.com
>
> msgType is 30
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list