[37815] in Kerberos
Cross-Realm Admins
daemon@ATHENA.MIT.EDU (Kemper, Stephan)
Mon Dec 19 21:49:01 2016
From: "Kemper, Stephan" <stephan.kemper@viasat.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Mon, 19 Dec 2016 20:50:56 +0000
Message-ID: <AD903E07-E2BA-477D-8867-0BF4AAECDCEF@contoso.com>
Content-Language: en-US
Content-ID: <0F575697963E4C4BAC476585EBA9653B@viasat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi all,
We’re trying to roll out a multi-tenant Kerberos realm service here at ViaSat. We have a root realm (something like VIASAT.COM) that has principals for all the users, and then a series of sub-realms (A.VIASAT.COM, B.VIASAT.COM, etc) that have one-way trust relationships with the root. For regular service use, this is working fine. Users in VIASAT.COM can properly authenticate to a service in B.VIASAT.COM, for example.
We are running a single multi-realm KDC process, along with a kadmind process per realm, on a single host, backed by an LDAP database. The KDC is running on default ports, but each kadmind is running on a dedicated pre-defined port. The procs looks something like
/usr/sbin/kadmind -P /var/run/krb5-admin-VIASAT.COM.pid -r VIASAT.COM
/usr/sbin/kadmind -P /var/run/krb5-admin-A.VIASAT.COM.pid -r A.VIASAT.COM
/usr/sbin/kadmind -P /var/run/krb5-admin-B.VIASAT.COM.pid -r B.VIASAT.COM
/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -r VIASAT.COM -r A.VIASAT.COM -r B.VIASAT.COM
The problem is with our admin principals. I can’t seem to get our KDC to hand me the service ticket that I want. Each time I run a `kinit -S kadmin/admin@B.VIASAT.COM -c ccache skemper/admin@VIASAT.COM` I get back a service of kadmin/admin@VIASAT.COM, the root realm.
From what I can tell, when I issue that command, the request that’s getting sent over the wire is only encoding the service name (“kadmin/admin”), rather than the entire principal of the service I want. Since serving multiple realms out of a single KDC is supported, I would expect a way to tell said KDC which realm I want a given service ticket from. Maybe I’m missing something?
Thanks,
Stephan Kemper
ViaSat, Inc.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
