• 'HANDLE_AUTHDATA' error when trying to setup Kerberos trust between AD

    From Robert Sturrock@21:1/5 to All on Mon Jun 15 06:25:31 2020
    Hi All,

    I’m trying to create a (one-way) Kerberos trust between AD and a FreeIPA installation, such that user TGTs from AD can be used to access resources in the IPA realm.

    I followed some (non-IPA related) steps for setting up Kerberos trusts between AD and MIT Kerberos - essentially creating a common TGT principal in both systems with a common password. This works to a point (ie. I can get the TGT for IPA using the AD
    TGT), but when I try to fetch a service ticket in the IPA domain I get a ‘HANDLE_AUTHDATA’ error.

    Here is what I’m seeing:

    (AD domain = ‘STAFF.LOCALREALM'; IPA domain = ‘PALLAS.LOCALREALM')

    # Get AD TGT:
    Password for rns@STAFF.LOCALREALM: XXXXXXXXX

    $ klist
    Ticket cache: KEYRING:persistent:10846:10846
    Default principal: rns@STAFF.LOCALREALM

    Valid starting Expires Service principal
    11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM
    renew until 12/06/20 13:34:18

    # Use AD TGT to get an IPA TGT:
    $ kvno krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM
    krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM: kvno = 0

    $ klist
    Ticket cache: KEYRING:persistent:10846:10846
    Default principal: rns@STAFF.LOCALREALM

    Valid starting Expires Service principal
    11/06/20 13:34:24 11/06/20 23:34:19 krbtgt/PALLAS.LOCALREALM@STAFF.LOCALREALM
    renew until 12/06/20 13:34:18
    11/06/20 13:34:19 11/06/20 23:34:19 krbtgt/STAFF.LOCALREALM@STAFF.LOCALREALM
    renew until 12/06/20 13:34:18

    # Try to fetch an IPA service ticket:
    $ kvno host/palladium1.localdomain@PALLAS.LOCALREALM
    kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/palladium1.localdomain@PALLAS.LOCALREALM

    Can anyone provide some idea as to what’s going on here and how I resolve this? I don’t really know what ‘HANDLE_AUTHDATA’ indicates and I’m not able to find a lot of documentation explaining this.

    Thanks!

    Robert.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)