Skip Menu |
 

From: Mukul Agarwal <Mukul.Agarwal@citrix.com>
To: "krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Date: Mon, 21 Nov 2011 21:36:08 +0530
Subject: S4U cross realm error

Dear Kerberos experts,

I am working on some use case of constrained delegation wherein I am 
trying to get service ticket for a service using delegated user on 
behalf of an end user. I am experimenting this using "kvno" tool where 
I am getting correct service ticket if user and service is in the same 
realm. 

However I am getting following error for cross realm scenario when end 
user and service is in different domain (I have setup 2 way trust for 
this). 

>kinit -f delegate_user@FOREST2.COM 
>kvno -k delegate.keytab  -U test1@FOREST1.COM -P cifs/machine-forest2.forest2.com@FOREST2.COM 

kvno: Server not found in Kerberos database while getting credentials 
for cifs/machine-forest2.forest2.com@FOREST2.COM 

Here "delegated_user" (part of forest2) is trying to get service ticket for 
CIFS  (in forest2) on behalf of user "test1" (in forest1). 

Any help is appreciate. 

TIA, 
Mukul