[38061] in Kerberos
Re: Is [capaths] section necessary for cross-realm kerberos auth?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Aug 25 12:01:07 2017
To: pratyush parimal <pratyush.parimal@gmail.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <0edbb56f-5191-aa84-17a1-9a71e7c24c83@mit.edu>
Date: Fri, 25 Aug 2017 12:00:55 -0400
MIME-Version: 1.0
In-Reply-To: <CALvRNOGmz0zAHSvzpa+BXFCHUCQxvirhPKVSLAGsWPgau-979A@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 08/25/2017 11:38 AM, pratyush parimal wrote:
> (2) add a "capaths" section to the EXAMPLE.COM KDC like so:
>
> [capaths]
> HADOOP.COM = {
> EXAMPLE.COM = .
> }
>
> However, in practice I found that my setup works even without step (2). I'm
> wondering if the "capaths" is deprecated or something? Or is it needed for
> setups that are more complicated in some way?
capaths are generally not required when there are only two realms.
HADOOP.COM can safely assume that EXAMPLE.COM is qualified to
authenticate users in its own realm. capaths would be required if
authentication between the two realms went through a third realm which
was not hierarchically related to the two realms.
The capaths example above does (I believe) have the modest effect of
preventing a hypothetical COM realm from acting as an authentication
intermediary between HADOOP.COM and EXAMPLE.COM. But of course there
will never be a legitimate Kerberos realm named COM.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
