Path: utzoo!attcan!uunet!decwrl!shelby!MIT.EDU!jon
From: jon@MIT.EDU (Jon A. Rochlis)
Newsgroups: comp.protocols.kerberos
Subject: Re: inter-realm authentication
Message-ID: <9007121723.AA10813@delwin.MIT.EDU>
Date: 12 Jul 90 17:23:05 GMT
References: <9007120254.AA00551@agena.usc.edu>
Sender: daemon@shelby.Stanford.EDU
Organization: The Internet
Lines: 40


   From: alfonso%agena.usc.edu@usc.edu (Tasha Alfonso)
   To: kerberos@ATHENA.MIT.EDU
   Cc: alfonso@agena.usc.edu, cocchi@jerico.MIT.EDU
   Subject: inter-realm authentication
   
Your mailer doesn't seem to fully quailify cc'd domain names (i.e.
jerico.MIT.EDU probably wants to be jerico.usc.edu)
   
   We interpreted the instructions for inter-realm authentication outlined
   in this message and made the following entries:
   
It's very important that krbtgt.USC2.EDU@USC.EDU and
krbtgt.USC.EDU@USC2.EDU both have the same private keys.  Is this the
case?  It isn't clear to me from your message if you did that part correctly.

   If we try kinit -r, we obtain a tgt ticket to the remote
   ticket granting service.  That seems to work.

You shouldn't need to kinit -r.  The following is the sequence of
tickets that should be obtianed if root@USC.EDU wishes to authenticate
to visa.pompei@USC2.EDU:

(1)	krbtgt.USC.EDU@USC.EDU
(2)	krbtgt.USC2.EDU@USC.EDU [by presenting (1) to the
				USC.EDU krb server]
(3)	visa.pompei@USC2.EDU    [by presenting (2) to the USC2.EDU krb
				server, which is able to decode this
				TGT because it is encrypted in the
				same key as krbtgt.USC.EDU@USC2.EDU
				which the USC2.EDU krb servers have in
				their db]
		
Steps (2) and (3) should happen automagically when you ask
krb_sendauth or krb_mk_req to get a ticket for visa.pompei@USC2.EDU.

Which of these tickets do you get?  What do the kerberos.log files on
both servers say?

		-- Jon