ksu / cross-realm

Thu, 07 Nov 2019 01:59:00 -0800 

Hi guys,

I'm having some unexpected difficulties with ksu in a multi-realm
environment.

With user1@REALM1 and server.domain@REALM1 everything is working flawlessly:

    ssh user1@server.domain from user1@REALM1
    ssh user2@server.domain from user1@REALM1 (with appropriate .k5login)
    user1@server.domain> ksu user2

With user1@REALM2 and server@REALM1 the ksu fail:

    ssh user1@server.domain from user1@REALM2 => ok
    ssh user2@server.domain from user1@REALM2 => ok
    user1@server.domain> ksu user2             => Server not found in
Kerberos database

Apparently in the second case ksu try to require a TGS in the form of
server@REALM2 which doesn't exist indeed

Any idea why ?

krb5.conf:

[libdefaults]
    default_realm = REALM1
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
[realms]
REALM1 = {
    kdc = ...
    }
REALM2 = {
    kdc = ...
    }

[domain_realm]
    domain = REALM1

[capaths]
        REALM1 = { REALM2 = . }
        REALM2 = { REALM1 = . }


-- 
Benoit


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to