1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • 'HANDLE_AUTHDATA' error when trying to setup Kerberos trust between

    From Dmitri Pal@21:1/5 to Robert Sturrock on Mon Jun 15 09:00:50 2020
    Copy: [email protected] ([email protected])

    On Mon, Jun 15, 2020 at 2:39 AM Robert Sturrock <[email protected]> wrote:

    Hi All,

    I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA installation, such that user TGTs from AD can be used to access resources
    in the IPA realm.

    I followed some (non-IPA related) steps for setting up Kerberos trusts between AD and MIT Kerberos - essentially creating a common TGT principal
    in both systems with a common password. This works to a point (ie. I can
    get the TGT for IPA using the AD TGT), but when I try to fetch a service ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.


    Was there any reason not to follow IPA steps for setting trusts?
    They are very straightforward. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-trust-between-idm-and-ad_installing-identity-management




    Here is what I’m seeing:

    (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')

    # Get AD TGT:
    Password for [email protected]EALM: XXXXXXXXX

    $ klist
    Ticket cache: KEYRING:persistent:10846:10846
    Default principal: [email protected]EALM

    Valid starting Expires Service principal
    11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/[email protected]EALM
    renew until 12/06/20 13:34:18

    # Use AD TGT to get an IPA TGT:
    $ kvno krbtgt/[email protected]EALM
    krbtgt/[email protected]EALM: kvno = 0

    $ klist
    Ticket cache: KEYRING:persistent:10846:10846
    Default principal: [email protected]EALM

    Valid starting Expires Service principal
    11/06/20 13:34:24 11/06/20 23:34:19 krbtgt/[email protected]EALM
    renew until 12/06/20 13:34:18
    11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/[email protected]EALM
    renew until 12/06/20 13:34:18

    # Try to fetch an IPA service ticket:
    $ kvno host/[email protected]EALM
    kvno: KDC returned error string: HANDLE_AUTHDATA while getting
    credentials for host/[email protected]EALM

    Can anyone provide some idea as to what’s going on here and how I resolve this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not
    able to find a lot of documentation explaining this.

    Thanks!

    Robert.

    ________________________________________________
    Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos



    --

    Thank you,
    Dmitri Pal

    Director, Software Engineering
    Red Hat Enterprise Linux Platform Security and Identity Management [email protected]
    <https://red.ht/sig>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)