[38060] in Kerberos
Is [capaths] section necessary for cross-realm kerberos auth?
daemon@ATHENA.MIT.EDU (pratyush parimal)
Fri Aug 25 11:39:09 2017
MIME-Version: 1.0
From: pratyush parimal <pratyush.parimal@gmail.com>
Date: Fri, 25 Aug 2017 11:38:53 -0400
Message-ID: <CALvRNOGmz0zAHSvzpa+BXFCHUCQxvirhPKVSLAGsWPgau-979A@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi all,
I'm trying to setup cross-realm between a KDC in EXAMPLE.COM (containing my
users) to a KDC in HADOOP.COM (containing my services).
I read from manuals (like the ones on
https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/capaths.html
and
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-kerberos-crossrealm.html)
that you have to 2 things in order to achieve this:
(1) add a "trust" principal called krbtgt/HADOOP.COM@EXAMPLE.COM to both
the KDC's.
(2) add a "capaths" section to the EXAMPLE.COM KDC like so:
[capaths]
HADOOP.COM = {
EXAMPLE.COM = .
}
However, in practice I found that my setup works even without step (2). I'm
wondering if the "capaths" is deprecated or something? Or is it needed for
setups that are more complicated in some way?
Thanks in advance!
Pratyush Parimal.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos