[27097] in CVS-changelog-for-Kerberos-V5
krb5 commit: Move cross-realm info to the cross-realm section
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Thu Oct 11 11:13:30 2012
Date: Thu, 11 Oct 2012 11:13:26 -0400
From: Benjamin Kaduk <kaduk@mit.edu>
Message-Id: <201210111513.q9BFDQhB020060@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/d2f5272a5a241e215e19ce5564088ebd158cc3d1
commit d2f5272a5a241e215e19ce5564088ebd158cc3d1
Author: Ben Kaduk <kaduk@mit.edu>
Date: Fri Oct 5 12:12:47 2012 -0400
Move cross-realm info to the cross-realm section
It's really not appropriate for the "examples" subsection of
"Adding, modifying and deleting principals".
While here, update the enctype recommendation for cross-realm principals
to something that does not include weak crypto.
doc/rst_source/krb_admins/database.rst | 26 ++++++++++----------------
1 files changed, 10 insertions(+), 16 deletions(-)
diff --git a/doc/rst_source/krb_admins/database.rst b/doc/rst_source/krb_admins/database.rst
index 4567c05..65afebf 100644
--- a/doc/rst_source/krb_admins/database.rst
+++ b/doc/rst_source/krb_admins/database.rst
@@ -140,16 +140,6 @@ type the following::
Principal "david@ATHENA.MIT.EDU" created.
kadmin:
-If you need cross-realm authentication, you will need to add
-principals for the other realm's TGT to each realm. For example, if
-you need to do cross-realm authentication between the realms
-``ATHENA.MIT.EDU`` and ``EXAMPLE.COM``, you would need to add the
-principals ``krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU`` and
-``krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM`` to both databases. You need to
-be sure the passwords and the key version numbers (kvno) are the same
-in both databases. This may require explicitly setting the kvno with
-the **-kvno** option. See :ref:`xrealm_authn` for more details.
-
If you want to delete a principal ::
kadmin: delprinc jennifer
@@ -631,15 +621,19 @@ Cross-realm authentication
In order for a KDC in one realm to authenticate Kerberos users in a
different realm, it must share a key with the KDC in the other realm.
-In both databases, there must be krbtgt service principals for realms.
+In both databases, there must be krbtgt service principals for both realms.
+For example, if you need to do cross-realm authentication between the realms
+``ATHENA.MIT.EDU`` and ``EXAMPLE.COM``, you would need to add the
+principals ``krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU`` and
+``krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM`` to both databases.
These principals must all have the same passwords, key version
-numbers, and encryption types.
+numbers, and encryption types; this may require explicitly setting
+the key version number with the **-kvno** option.
-For example, if the administrators of ATHENA.MIT.EDU and EXAMPLE.COM
-wanted to authenticate across the realms, they would run the following
-commands on the KDCs in both realms::
+In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators
+would run the following commands on the KDCs in both realms::
- shell%: kadmin.local -e "des3-hmac-sha1:normal des-cbc-crc:v4"
+ shell%: kadmin.local -e "aes256-cts:normal"
kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM
Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM:
Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM:
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
