Hi, I have a new question regarding the setup of kerberos.
In each domain I need to run a ktpass command to create Key file and SPN on the user In each domain for the SPN I use HTTP/myserver.ad....@domain1.com , I just change the value of DOMAIN. This is correct or should I also change the value of myserver.ad.net ? because when I will merge the key file I will have all the entry with HTTP/myserver.ad.net. Thanks for your help Regards. Flavien. -----Message d'origine----- De : Tim Alsop [mailto:tim.al...@cybersafe.com] Envoyé : dimanche 3 janvier 2010 12:27 À : BOUCHER, Flavien Objet : RE: Kerberos multi domain - Update If you are not using -k then keytab (e.g ktpass) are not involved. If something wrong with key in keytab (caused by ktpass issue) then this should not cause an exception/dump Tim -----Original Message----- From: BOUCHER, Flavien [mailto:flavien.a.bouc...@sogeti.com] Sent: 03 January 2010 11:26 To: Tim Alsop Subject: RE: Kerberos multi domain - Update One more quetsion :) , do you think this issue could come from my ktpass ? I receive a warning on the ptype when I run the ktpass command. Flavien. -----Message d'origine----- De : Tim Alsop [mailto:tim.al...@cybersafe.com] Envoyé : dimanche 3 janvier 2010 12:20 À : BOUCHER, Flavien Objet : RE: Kerberos multi domain - Update If both realms are configured, then they should both work, and obviously only one of them can be configured as the default. You should be able to get tickets from any realm configured and the software should not crash/dump. Tim -----Original Message----- From: BOUCHER, Flavien [mailto:flavien.a.bouc...@sogeti.com] Sent: 03 January 2010 11:18 To: Tim Alsop Subject: RE: Kerberos multi domain - Update Thanks for your help. I think the issue come from my krb5.conf or my websphere server, because I am just able to make kerberos with the domain in default_realm value. Regards. FLavien. -----Message d'origine----- De : Tim Alsop [mailto:tim.al...@cybersafe.com] Envoyé : dimanche 3 janvier 2010 11:46 À : BOUCHER, Flavien Objet : RE: Kerberos multi domain - Update Flavien, I don't know. Sorry. You need to talk to IBM. My company develops and sells commercially supported cross platform implementations of Kerberos protocol and associated standards, and we don't use open source code. I am more familiar with our own code than I am with open source implementations. For Java we use a JNI so that the amount of actual Java code is reduced and performance is increased, and the features provided to Java apps are same as to non Java apps. The Java implementation of Kerberos is well known for being out dated and not very feature rich and having many bugs. Thanks, Tim -----Original Message----- From: BOUCHER, Flavien [mailto:flavien.a.bouc...@sogeti.com] Sent: 03 January 2010 10:42 To: Tim Alsop Subject: RE: Kerberos multi domain - Update Ok, thanks. Do you know where I can download / upgrade this kerberos library ? For your information I am using the websphere tool (Kinit, ktab, klist) provide by IBM in the java SDK 1.5 I will check on IBm site if there is some bug in this library. Thanks for your help. Regards. Flavien. -----Message d'origine----- De : Tim Alsop [mailto:tim.al...@cybersafe.com] Envoyé : dimanche 3 janvier 2010 11:36 À : BOUCHER, Flavien; kerberos@mit.edu Objet : RE: Kerberos multi domain - Update Flavien, When you use kinit user_n...@msdemo2 the keytab file is not used, unless you use -k option. Without -k a password is used to get the initial ticket, and with -k the key in the keytab is used instead of password entered by user. It looks like there is a bug in the Kerberos library you are using, and it is causing this exception. Thanks, Tim -----Original Message----- From: BOUCHER, Flavien [mailto:flavien.a.bouc...@sogeti.com] Sent: 03 January 2010 10:33 To: Tim Alsop; kerberos@mit.edu Subject: RE: Kerberos multi domain - Update Hi Tim, when I try I obtain this result : java.lang.ClassCastException: java.lang.NegativeArraySizeException incompatible with com.ibm.security.krb5.KrbException at com.ibm.security.krb5.g.a(g.java:78) at com.ibm.security.krb5.g.a(g.java:10) at com.ibm.security.krb5.internal.tools.Kinit.a(Kinit.java:126) at com.ibm.security.krb5.internal.tools.Kinit.<init>(Kinit.java:65) at com.ibm.security.krb5.internal.tools.Kinit.main(Kinit.java:150) com.ibm.security.krb5.KrbException, code état : 0 message : java.lang.ClassCastException: java.lang.NegativeArraySizeException incompatible with com.ibm.security.krb5.KrbException Is it an issue with my keytab file ? Regards. Flavien. -----Message d'origine----- De : Tim Alsop [mailto:tim.al...@cybersafe.com] Envoyé : dimanche 3 janvier 2010 11:24 À : BOUCHER, Flavien; kerberos@mit.edu Objet : RE: Kerberos multi domain - Update Flavien, Have you tried: kinit user_n...@msdemo2 Thanks, Tim -----Original Message----- From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of BOUCHER, Flavien Sent: 03 January 2010 09:01 To: kerberos@mit.edu Subject: Re: Kerberos multi domain - Update Hi, thaks for your answer Edward. My two KDC have distinct IP @ and port. I have done a test with KINIT. When I run 'KINIT -A user_name' , the KINIT command build user_n...@msdemo<mailto:user_n...@msdemo> , MSDEMO is the default_realm setup in my krb5.conf. How could I obtain user_n...@msdemo2<mailto:user_n...@msdemo2> except by changing default_realm in krb5.conf ? Regards. Flavien. Date: Sat, 02 Jan 2010 15:10:56 +1300 From: Edward Murrell <edw...@murrell.co.nz> Subject: Re: Kerberos multi domain To: "kerberos@mit.edu" <kerberos@mit.edu> Message-ID: <1262398256.2052.29.ca...@boyle> Content-Type: text/plain; charset="UTF-8" As far as I know, MIT kerberos can run multiple KDC's from the same machine, but each realm needs to have it's own IP or set of ports. On Fri, 2010-01-01 at 13:19 +0100, BOUCHER, Flavien wrote: > Hi, > > I need to setup kerberos for six distinct domain, there is no trust > relationship between each domain. > When I setup one domain by one, it's working. > > After testing each domain one by one, I merge the keytab file, and change the > krb5.conf file: > > [libdefaults] > default_realm = MSDEMO > default_keytab_name = > FILE:C:\Kerberos\lcserver01.keytab<file:C:/Kerberos/lcserver01.keytab> > default_tkt_enctypes = rc4-hmac des-cbc-md5 > default_tgs_enctypes = rc4-hmac des-cbc-md5 > forwardable = true > renewable = true > noaddresses = true > clockskew = 300 > [realms] > MSDEMO = { > kdc = dc.msdemo.local:88 > default_domain = dc.msdemo.local > } > > MSDEMO2 = { > kdc = dc2.msdemo2.local:88 > default_domain = msdemo2.local > } > [domain_realm] > .msdemo.local = MSDEMO > .msdemo2.local = MSDEMO2 > > > When I merge the keytab of this two domains and change the krb5.conf, just > the authentication for MSDEMO is working. > When I change the krb5.conf, and enter default_realm = MSDEMO2, the > authentication is working for MSDEMO2. > > It's possible to make the authentication works for the both domain in the > same time ? > > Regards. > > Flavien. > > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos ____________________________________________________________ Flavien Boucher / Sogeti / Paris France Mob. : +33 (0) 6.07.72.60.67 www.sogeti.com<http://www.sogeti.com/> Email : flavien.a.bouc...@sogeti.com<mailto:flavien.a.bouc...@sogeti.com> 6-8 rue Duret / 75016 Paris Join the Collaborative Business Experience ____________________________________________________________ P Please consider the environment and do not print this email unless absolutely necessary. Sogeti encourages environmental awareness. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
