tai@IAG.HP.COM (Tai Jin) (10/27/89)
Does anyone know how to set up inter-realm authentication? Thanks...tai
alfonso%agena.usc.edu@USC.EDU (Tasha Alfonso) (07/12/90)
what we want to do: We have two independant realms, USC.EDU and USC2.EDU. Our own network service application, visa, is registered in realm USC2.EDU. A user (root) is registered in the realm USC.EDU and needs to be authenticated to the visa service in realm USC2.EDU. More specificaly, root.@USC.EDU needs inter-realm authentication to visa.pompei@USC2.EDU, where visa is the principal/service, pompei is the instance and USC2.EDU is the realm. Without success, we followed instructions found in the kerberos mail archive: [0444] daemon@TELECOM.MIT.EDU Kerberos 07/12/88 14:29 (50 lines) Subject: Re: Crossing Realms From: Jon Rochlis <jon@BITSY.MIT.EDU> To: Doug Alan <nessus@ATHENA.MIT.EDU> Cc: kerberos@ATHENA.MIT.EDU In-Reply-To: Doug Alan's message of Tue, 12 Jul 88 00:57:52 EDT, We interpreted the instructions for inter-realm authentication outlined in this message and made the following entries: REALM USC.EDU kerberos server in this realm is xanadu.usc.edu kdb_edit to add principal krbtgt, instance USC2.EDU added to /usr/etc/credentials (this filesystem is shared by xanadu and pompei so the access grants for both root@pompei and root@xanadu are in the same file) root@xanadu.usc.edu:0 root@pompei.usc.edu:0 added to /etc/krb.realm pompei.usc.edu USC2.EDU added to /etc/krb.conf USC2.EDU pompei.usc.edu REALM USC2.EDU kerberos server in this realm is pompei.usc.edu kdb_edit to add principal krbtgt, instance USC.EDU added to /usr/etc/credentials (this filesystem is shared by xanadu and pompei so the access grants for both root@pompei and root@xanadu are in the same file) root@xanadu.usc.edu:0 root@pompei.usc.edu:0 added to /etc/krb.realm xanadu.usc.edu USC.EDU added to /etc/krb.conf USC.EDU xanadu.usc.edu Results/errors If we try kinit -r, we obtain a tgt ticket to the remote ticket granting service. That seems to work. However, when we try authenticating to the remote service we got the following kerberos error message: krb_rd_req returned 31: Can't decode authenticator (krb_rd_req) Is this the correct procedure to inter-realm authentication? Any help is much appreciated! Thanks, Tasha Alfonso Ron Cocchi
jon@MIT.EDU (Jon A. Rochlis) (07/13/90)
From: alfonso%agena.usc.edu@usc.edu (Tasha Alfonso) To: kerberos@ATHENA.MIT.EDU Cc: alfonso@agena.usc.edu, cocchi@jerico.MIT.EDU Subject: inter-realm authentication Your mailer doesn't seem to fully quailify cc'd domain names (i.e. jerico.MIT.EDU probably wants to be jerico.usc.edu) We interpreted the instructions for inter-realm authentication outlined in this message and made the following entries: It's very important that krbtgt.USC2.EDU@USC.EDU and krbtgt.USC.EDU@USC2.EDU both have the same private keys. Is this the case? It isn't clear to me from your message if you did that part correctly. If we try kinit -r, we obtain a tgt ticket to the remote ticket granting service. That seems to work. You shouldn't need to kinit -r. The following is the sequence of tickets that should be obtianed if root@USC.EDU wishes to authenticate to visa.pompei@USC2.EDU: (1) krbtgt.USC.EDU@USC.EDU (2) krbtgt.USC2.EDU@USC.EDU [by presenting (1) to the USC.EDU krb server] (3) visa.pompei@USC2.EDU [by presenting (2) to the USC2.EDU krb server, which is able to decode this TGT because it is encrypted in the same key as krbtgt.USC.EDU@USC2.EDU which the USC2.EDU krb servers have in their db] Steps (2) and (3) should happen automagically when you ask krb_sendauth or krb_mk_req to get a ticket for visa.pompei@USC2.EDU. Which of these tickets do you get? What do the kerberos.log files on both servers say? -- Jon
alfonso%agena.usc.edu@USC.EDU (Tasha Alfonso) (07/13/90)
Jon, thanks for your reply. It's very important that krbtgt.USC2.EDU@USC.EDU and krbtgt.USC.EDU@USC2.EDU both have the same private keys. Is this the case? It isn't clear to me from your message if you did that part correctly. Yes, krbtgt.USC2.EDU@USC.EDU and krbtgt.USC.EDU@USC2.EDU have the same private key. Which of these tickets do you get? What do the kerberos.log files on both servers say? -- Jon We get only the first ticket: Principal: root@USC.EDU Issued Expires Principal Jul 12 17:58:11 Jul 13 01:58:11 krbtgt.USC.EDU@USC.EDU The kerberos log on USC.EDU reads: 12-Jul-90 17:57:49 Getting key for USC.EDU 12-Jul-90 17:58:08 Initial ticket request Host: 128.125.51.1 User: "root" "" 12-Jul-90 17:58:45 APPL Request root.@USC.EDU on 128.125.51.1 for visa.pompei 12-Jul-90 17:58:45 UNKNOWN "visa" "pompei" Thanks, Tasha
jon@MIT.EDU (Jon A. Rochlis) (07/13/90)
We get only the first ticket:
Principal: root@USC.EDU
Issued Expires Principal
Jul 12 17:58:11 Jul 13 01:58:11 krbtgt.USC.EDU@USC.EDU
The kerberos log on USC.EDU reads:
12-Jul-90 17:57:49 Getting key for USC.EDU
12-Jul-90 17:58:08 Initial ticket request Host: 128.125.51.1 User:
"root" ""
12-Jul-90 17:58:45 APPL Request root.@USC.EDU on 128.125.51.1 for visa.pompei
12-Jul-90 17:58:45 UNKNOWN "visa" "pompei"
Tasha,
You should not be seeing the last 2 lines in the USC.EDU logs. You
should see only see the request for the TGT for USC2. The USC2 log
should have a request for visa.pompei.
Are you sure that your application is putting USC2.EDU in the service
realm field for the call to krb_sendauth or krb_mk_req (whichever you
use)? It looks like the application isn't doing that and it's
defaulting to the local realm (USC.EDU).
-- Jon