I'm trying S4U2self to impersonate a client in another realm and it does
not work. Here is my environment:
Realm K1: normal principal u1
Realm K2: normal principal u2
service host/host.k2, with
+ok_to_auth_as_delegate
allowed_to_delegate_to *
another service s2
Now, with default realm being K2
$ kinit -k host/host.k2
$ t_s4u u2@K2 s2@K2
works fine, but
$ t_s4u u1@K1 s2@K2
Protocol transition tests follow
-----------------------------------
gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code
may provide more information
gss_acquire_cred_impersonate_name: Server not found in Kerberos database
The log of K2 shows host/host.k2 first trying to get a cross-realm TGT
to K1:
Jul 30 10:30:25 960x krb5kdc[8117](info): TGS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: ISSUE: authtime 1343615413, etypes {rep=18 tkt=18
ses=18}, host/host.k2@K2 for krbtgt/K1@K2
and in K1's log, it shows
Jul 30 10:30:25 960x krb5kdc[8114](info): TGS_REQ (4 etypes {18 17 16
23}) 127.0.0.1: UNKNOWN_SERVER: authtime 0, host/host.k2@K2 for
host/host.k2@K1, Server not found in Kerberos database
Both realms have correct [domain_realm] settings, and I have no idea why
the K1 KDC cannot return a referral ticket to K2.
Thanks
Weijun
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
