ksu / cross-realm

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ksu / cross-realm

Benoit PLESSIS

Hi guys,

I'm having some unexpected difficulties with ksu in a multi-realm
environment.

With user1@REALM1 and server.domain@REALM1 everything is working flawlessly:

    ssh [hidden email] from user1@REALM1
    ssh [hidden email] from user1@REALM1 (with appropriate .k5login)
    [hidden email]> ksu user2

With user1@REALM2 and server@REALM1 the ksu fail:

    ssh [hidden email] from user1@REALM2 => ok
    ssh [hidden email] from user1@REALM2 => ok
    [hidden email]> ksu user2             => Server not found in
Kerberos database

Apparently in the second case ksu try to require a TGS in the form of
server@REALM2 which doesn't exist indeed

Any idea why ?

krb5.conf:

[libdefaults]
    default_realm = REALM1
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
[realms]
REALM1 = {
    kdc = ...
    }
REALM2 = {
    kdc = ...
    }

[domain_realm]
    domain = REALM1

[capaths]
        REALM1 = { REALM2 = . }
        REALM2 = { REALM1 = . }


--
Benoit


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ksu / cross-realm

Benoit PLESSIS

Ok, sorry for the noise, it seems to be related to really old distro
packages in fact

On recently-ish release it work as expected

On 07/11/2019 10:55, Benoit PLESSIS wrote:

> Hi guys,
>
> I'm having some unexpected difficulties with ksu in a multi-realm
> environment.
>
> With user1@REALM1 and server.domain@REALM1 everything is working flawlessly:
>
>     ssh [hidden email] from user1@REALM1
>     ssh [hidden email] from user1@REALM1 (with appropriate .k5login)
>     [hidden email]> ksu user2
>
> With user1@REALM2 and server@REALM1 the ksu fail:
>
>     ssh [hidden email] from user1@REALM2 => ok
>     ssh [hidden email] from user1@REALM2 => ok
>     [hidden email]> ksu user2             => Server not found in
> Kerberos database
>
> Apparently in the second case ksu try to require a TGS in the form of
> server@REALM2 which doesn't exist indeed
>
> Any idea why ?
>
> krb5.conf:
>
> [libdefaults]
>     default_realm = REALM1
>     kdc_timesync = 1
>     ccache_type = 4
>     forwardable = true
>     proxiable = true
> [realms]
> REALM1 = {
>     kdc = ...
>     }
> REALM2 = {
>     kdc = ...
>     }
>
> [domain_realm]
>     domain = REALM1
>
> [capaths]
>         REALM1 = { REALM2 = . }
>         REALM2 = { REALM1 = . }
>
>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos