[3727] in Kerberos
cross realm authentication
daemon@ATHENA.MIT.EDU (Doug Engert)
Wed Aug 17 16:51:10 1994
Date: Wed, 17 Aug 94 14:04:53 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <kerberos@MIT.EDU>
Cc: <guenther@tigger.csc.wsu.edu>
Dean Guenther <guenther@tigger.csc.wsu.edu> writes:
> How do I do cross realm authentication. I didn't see any documentation on it
> with what I got from the kerberso distribution. What I want to do is have one
> machine (persian.it.wsu.edu) which belongs to realm WSU.EDU to be able to ask
> realm TEST.WSU.EDU for authentication from time to time. Is there any
> documentaiton on this? -- Dean
Dave McGuire mcguire <rocinante.digex.net> asked a simmilar question
a few days ago using FOO.COM and BAR.COM as the realm names.
I sent this to him:
On FOO.COM add:
krbtgt/FOO.COM@BAR.COM
krbtgt/BAR.COM@FOO.COM
on BAR.COM add:
krbtgt/FOO.COM@BAR.COM
krbtgt/BAR.COM@FOO.COM
Make sure you get the same keys in both of the krbtgt/FOO.COM@BAR.COM
entries and the same key in both of the krbtgt/BAR.COM@FOO.COM entries.
I use the admin/krb5_edit av4k subcommand. Since you can not set the
kvno when changing the passwords, make sure you don't make a mistake,
and change one of them twice. If so delete and read the entries.
Make sure the krb.conf and krb.realms have both sets of servers.
You should then beable to get tickets in the other realm. Klogind
in the BAR.COM will look for a .k5login file in the user HOME directory
with any entry like:
user@FOO.COM
which says user@FOO.COM is allowed to login here.
User only needs an entry in the FOO.COM KDC.
I am running Kerberos 5.4.1 and k5.4.2 realms.
Let me know if this helps.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
