I have Kerberos authentication working with a stand alone KDC. However, our next step is to allow users from another realm/domain to access the cluster. Obviously I followed the guide for cross realm configuration, but I am having little success. Does anyone know of another way to test the cross realm configuration without going through the cluster? Or at least how to turn on some more robust logging? The authentication always stays on the local kdc and never tries to go out to the AD. I was under the impression that once the configurations with the cross realm principals were in place, kerberos would look first locally for an acount and then remotely. However I am guessing that I am completely off base. Here are my crossrealm entries in my KDC: krbtgt/DATA.FOREST.COM@DATA.FOREST.COM krbtgt/DATA.FOREST.COM@FOREST.COM krbtgt/FOREST.COM@DATA.FOREST.COM Here is my krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DATA.FOREST.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] DATA.FOREST.COM = { kdc = ip-10-0-0-241.us-west-2.compute.internal admin_server = ip-10-0-0-241.us-west-2.compute.internal default_domain = data.forest.com } FOREST.COM = { kdc = ip-10-0-0-251.us-west-2.compute.internal admin_server = ip-10-0-0-251.us-west-2.compute.internal default_domain = forest.com } [domain_realm] .data.forest.com = DATA.FOREST.COM data.forest.com = DATA.FOREST.COM .forest.com = FOREST.COM forest.com = FOREST.COM Any assistance would be appreciated.
... View more
