Re: openssh with cross-realm kerberos (heimdal) authentication
On Mon, May 29, 2006 at 11:41:32PM +0100, Simon Wilkinson wrote:[color=blue]
> Steven Van Acker wrote:[color=green]
> > I'm trying to get cross-realm authentication to work between A.COM and
> > B.NET for openssh.
> > the KDC from A.COM has a principal [email]user@A.COM[/email].
> > the KDC from B.NET has the principal host/sshserver@B.NET
> > There's also a principal krbtgt/B.NET@A.COM on both KDC's.[/color]
> Is [email]user@A.COM[/email] authorized to access <user>'s account on the ssh server?
> If the server's default realm is B.NET, the standard configuration will
> only allow [email]user@B.NET[/email] to access that account.
> You need to investigate the documentation for ~/.k5login, or whatever
> other mechanisms your Kerberos library provides for authorizing
> cross-realm principals.
thx for replying so fast.
The problem was indeed the default_realm. I changed it 2 seconds after I
sent my mail, to see if that was causing the problem, and it worked.
So my cry for help was a bit premature :)
Thanks for the help!