[38060] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Is [capaths] section necessary for cross-realm kerberos auth?

daemon@ATHENA.MIT.EDU (pratyush parimal)
Fri Aug 25 11:39:09 2017

MIME-Version: 1.0
From: pratyush parimal <pratyush.parimal@gmail.com>
Date: Fri, 25 Aug 2017 11:38:53 -0400
Message-ID: <CALvRNOGmz0zAHSvzpa+BXFCHUCQxvirhPKVSLAGsWPgau-979A@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi all,

I'm trying to setup cross-realm between a KDC in EXAMPLE.COM (containing my
users) to a KDC in HADOOP.COM (containing my services).

I read from manuals (like the ones on
https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/capaths.html
  and
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-kerberos-crossrealm.html)
  that you have to 2 things in order to achieve this:

(1) add a "trust" principal called krbtgt/HADOOP.COM@EXAMPLE.COM to both
the KDC's.
(2) add a "capaths" section to the EXAMPLE.COM KDC like so:

[capaths]
 HADOOP.COM = {
  EXAMPLE.COM = .
 }

However, in practice I found that my setup works even without step (2). I'm
wondering if the "capaths" is deprecated or something? Or is it needed for
setups that are more complicated in some way?

Thanks in advance!
Pratyush Parimal.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[38060] in Kerberos

Is [capaths] section necessary for cross-realm kerberos auth?

daemon@ATHENA.MIT.EDU (pratyush parimal)Fri Aug 25 11:39:09 2017

daemon@ATHENA.MIT.EDU (pratyush parimal)
Fri Aug 25 11:39:09 2017