Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!decwrl!ucbvax!agate!shelby!USC.EDU!alfonso%agena.usc.edu From: alfonso%agena.usc.edu@USC.EDU (Tasha Alfonso) Newsgroups: comp.protocols.kerberos Subject: inter-realm authentication Message-ID: <9007120254.AA00551@agena.usc.edu> Date: 12 Jul 90 02:54:35 GMT Sender: daemon@shelby.Stanford.EDU Organization: The Internet Lines: 78 what we want to do: We have two independant realms, USC.EDU and USC2.EDU. Our own network service application, visa, is registered in realm USC2.EDU. A user (root) is registered in the realm USC.EDU and needs to be authenticated to the visa service in realm USC2.EDU. More specificaly, root.@USC.EDU needs inter-realm authentication to visa.pompei@USC2.EDU, where visa is the principal/service, pompei is the instance and USC2.EDU is the realm. Without success, we followed instructions found in the kerberos mail archive: [0444] daemon@TELECOM.MIT.EDU Kerberos 07/12/88 14:29 (50 lines) Subject: Re: Crossing Realms From: Jon Rochlis To: Doug Alan Cc: kerberos@ATHENA.MIT.EDU In-Reply-To: Doug Alan's message of Tue, 12 Jul 88 00:57:52 EDT, We interpreted the instructions for inter-realm authentication outlined in this message and made the following entries: REALM USC.EDU kerberos server in this realm is xanadu.usc.edu kdb_edit to add principal krbtgt, instance USC2.EDU added to /usr/etc/credentials (this filesystem is shared by xanadu and pompei so the access grants for both root@pompei and root@xanadu are in the same file) root@xanadu.usc.edu:0 root@pompei.usc.edu:0 added to /etc/krb.realm pompei.usc.edu USC2.EDU added to /etc/krb.conf USC2.EDU pompei.usc.edu REALM USC2.EDU kerberos server in this realm is pompei.usc.edu kdb_edit to add principal krbtgt, instance USC.EDU added to /usr/etc/credentials (this filesystem is shared by xanadu and pompei so the access grants for both root@pompei and root@xanadu are in the same file) root@xanadu.usc.edu:0 root@pompei.usc.edu:0 added to /etc/krb.realm xanadu.usc.edu USC.EDU added to /etc/krb.conf USC.EDU xanadu.usc.edu Results/errors If we try kinit -r, we obtain a tgt ticket to the remote ticket granting service. That seems to work. However, when we try authenticating to the remote service we got the following kerberos error message: krb_rd_req returned 31: Can't decode authenticator (krb_rd_req) Is this the correct procedure to inter-realm authentication? Any help is much appreciated! Thanks, Tasha Alfonso Ron Cocchi