[3895] in Kerberos
Hierarchical Realms
daemon@ATHENA.MIT.EDU (Doug Engert)
Thu Sep 22 08:19:14 1994
Date: Thu, 22 Sep 94 07:06:25 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <KERBEROS@MIT.EDU>
As part of a DOE Cross Realm Authentication Pilot project, we addressed
the problem of having the authentication path tied to the realm names.
Each site wanted to have its realm name match its domain name, and
its AFS cell name yet have a central KDC.
THe solution was called "configurable authentication paths" and the
modification has been submited to MIT for K5.4.2 (The same code works
in K5.3, 5.4, 5.4.1). In esesance you define the path between two
realms listing which other realms are to be used in the authentication
path. for example:
A.B.C.GOV wants to cross authenticate with D.E.EDU. Each is willing
to use a common KDC called F.ORG. The krb.capaths file would have
C.GOV E.EDU F.ORG
The final authentication path would then be:
A.B.C.GOV
B.C.GOV
C.GOV
F.ORG
E.EDU
D.E.EDU
More on this later, I am on travel (talknig about this K5) and will
provide more details to anyone who in interesed next week.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
