[36762] in Kerberos
cross realm trusts
daemon@ATHENA.MIT.EDU (Paul B. Henson)
Thu Feb 5 17:59:08 2015
From: "Paul B. Henson" <henson@acm.org>
To: <kerberos@mit.edu>
Date: Thu, 5 Feb 2015 14:58:45 -0800
Message-ID: <0ce201d04197$4d9c9940$e8d5cbc0$@acm.org>
MIME-Version: 1.0
Content-Language: en-us
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
In my ongoing saga of renaming our domain, I'm almost to the point of
bringing up a second set of kerberos servers for the new realm. As part of
the transition, ideally I would like to set up a trust between them so users
could authenticate to either realm and transparently access services in the
other.
If I understand correctly, I need to create the following two principles in
both realms:
krbtgt/CPP.EDU@CSUPOMONA.EDU
krbtgt/CSUPOMONA.EDU@CPP.EDU
and add the following to the krb5.conf so they talk directly rather than
trying to go hierarchically through EDU:
[capaths]
CSUPOMONA.EDU = {
CPP.EDU = .
}
CPP.EDU = {
CSUPOMONA.EDU = .
}
Both realms will have exactly the same set of users. Are these the only two
steps needed to allow a principal user@CSUPOMONA.EDU to directly access
services in the CPP.EDU realm transparently? Or is there something else I
need to do to allow transparency during the migration?
Thanks much.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
