directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Kerby Update
Date Mon, 06 Nov 2017 11:15:25 GMT
Hi Jiajia,

Thanks for your reply, I can't get it working though. I'm using two Kerby
distributions (kdc1 and kdc2) as well as the tool dist. Is this feature
fully implemented on the Kerby side for kdc2, or is it only tested with an
MIT KDC by any chance?

sh bin/kinit.sh -conf conf alice@A.EXAMPLE.COM
Password for alice@A.EXAMPLE.COM:
Successfully requested and stored ticket in /tmp/krb5cc_1000

sh bin/kinit.sh -conf conf -c /tmp/krb5cc_1000 -S service@B.EXAMPLE.COM
Kinit: get service ticket failed: Fail to get the tgs entry for remote
realm: A.EXAMPLE.COM with error code: UNKNOWN_ERR

Colm.


On Mon, Nov 6, 2017 at 1:46 AM, Li, Jiajia <jiajia.li@intel.com> wrote:

> Hi Colm,
>
> >>>a) What information is required in the krb5.conf of the tool-dist?
> The capaths, realms, domain_realm sections are required, the same as the
> MIT Kerberos.
>
>
> >>>b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM
> >>>realms) for the "Validate" section of the docs (
> https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)?
>
> To validate the user("test") within realm A.EXAMPLE.COM is trusted to
> access the resource("hdfs") in another realm B.EXAMPLE.COM, doing the
> following steps, the conf dir is "conf":
> 1. sh bin/kinit.sh -conf conf test@A.EXAMPLE.COM
> We will  get the credential cache( "/tmp/krb5cc_0")
> 2. sh bin/kinit.sh -conf conf -c /tmp/krb5cc_0 -S hdfs@B.EXAMPLE.COM
> Then we will get the service tgt, MIT Kerberos using  "kvno" to get
> service tgt in this step.
>
>
> Thanks,
> Jiajia
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Friday, November 3, 2017 7:04 PM
> To: kerby@directory.apache.org
> Subject: Re: Kerby Update
>
> Hi Jiajia,
>
> I've been trying to get this new feature working, but unsuccessfully so far
> - I get an error:
>
> 2017-11-03 10:58:41  INFO{DefaultInternalKrbClient.java:82}-Send to kdc
> success.
> 2017-11-03 10:58:41  INFO{KrbHandler.java:120}-KDC server response with
> message: Unknown error
> 2017-11-03 10:58:41  INFO{KrbHandler.java:142}-Unknown error
>
> Could you clarify a few points for me please...
>
> a) What information is required in the krb5.conf of the tool-dist?
> b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM
> realms) for the "Validate" section of the docs (
> https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)?
> It's a little unclear as to how exactly it should be used.
>
> Colm.
>
> On Mon, Oct 23, 2017 at 2:22 AM, Li, Jiajia <jiajia.li@intel.com> wrote:
>
> > Hi all,
> >
> > Recently we have implemented the cross-realm authentication support,
> > KDC in one realm can authenticate users in a different realm, so it
> > allows client from another realm to access the cluster. Cross-realm
> > authentication is accomplished by sharing a secret key between the two
> > realms. In both backends should have the krbtgt service principals for
> > realms with same passwords, key version numbers, and encryption types.
> > We have used this feature in Hadoop cluster, after establishing cross
> > realm trust between two secure Hadoop clusters with their own realms,
> > copying data between two secure clusters can work now. And this
> > support also can be used to build trust relationship with MIT Kerberos
> KDC and we have tested compatibility.
> >
> > Here is the document about setting up cross realm:
> > https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.
> > md
> >
> > Thanks,
> > Jiajia
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message