[3875] in Kerberos
Re: hierarchical realms
daemon@ATHENA.MIT.EDU (Phi H Truong)
Tue Sep 20 10:07:41 1994
To: kerberos@MIT.EDU
Date: 20 Sep 1994 13:24:13 GMT
From: orion@iastate.edu (Phi H Truong)
Reply-To: orion@iastate.edu (Phi H Truong)
In article <9409192044.AA01292@windsail.nersc.gov>,
Joe Ramus <ramus@nersc.gov> wrote:
>
>>> From warlord@MIT.EDU Mon Sep 19 13:13:12 1994
>>>
>>> > Is it possible to built hierarchical realms?
>>>
>>> Well, I guess it depends on what you mean by hierarchical realms? I
>>> believe the answer is "yes", but it depends on what you are trying to
>>> accomplish. A realm is a realm, and the authorization of
>>> warlord@ATHENA.MIT.EDU is not the same as the authorization of
>>> warlord@MEDIA-LAB.MIT.EDU, which is not the same as the authorization
>>> of warlord@LAB214.BELLCORE.COM or warlord@GZA.COM, even though I am
>>> the person that owns those IDs.
>>>
>>> Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory
>
>The ESnet Kerberos Pilot Project has demonstrated how a ticket
>from one realm can be "trusted" in another realm. This is the
>concept of Cross Realm Authentication.
>
>The "trust relationships" can be set up as hierarchical realms or
>a configuration file may be used with non-hierarchical realm names.
>
Not everything works well with cross-realm authentication. It's kind of
messy to have a kerberos server for each sub-realm not to mention
ridiculous. Don't know about Kerberos V but we have tried K4's
cross-realm and we hated it. Our master kerberos known only one realm:
IASTATE.EDU. Everything else got map into that through krb.realms, for
example:
.vincent.iastate.edu IASTATE.EDU
.cc.iastate.edu IASTATE.EDU
.iastate.edu IASTATE.EDU
.admin.iastate.edu IASTATE.EDU
.adp.iastate.edu IASTATE.EDU
.aeem.iastate.edu IASTATE.EDU
.aero.iastate.edu IASTATE.EDU
.agron.iastate.edu IASTATE.EDU
.al.iastate.edu IASTATE.EDU
--
_____
Phi H. Truong "Hmmmmmmmm....... "
orion@iastate.edu ISU Computation Center
Systems Analyst 237 Durham Center ph: (515) 294 -1420
