[3968] in Kerberos
Re: cross realm authentication
daemon@ATHENA.MIT.EDU (Joe Ramus)
Fri Sep 30 15:44:28 1994
Date: Fri, 30 Sep 94 10:18:09 PDT
From: ramus@nersc.gov (Joe Ramus)
To: kerberos@MIT.EDU, ajones@ctron.com
Other folks have asked this question.
The message attached below gives some helpful information.
Cross realm authentication works very well with the latest version
of Kerberos 5 (K5.4.2). The ESnet Pilot project has identified some
bug fixes that may be needed.
There is no need to have principals or machines listed in the remote
realm. Only in your local realm.
There must be a trust relationship between the two realms.
This can be provided by cross realm keys such as
krbtgt/FOO.COM@BAR.COM
krbtgt/BAR.COM@FOO.COM
It is also possible to have a third party trust relationship.
>> From ajones@ctron.com Fri Sep 30 06:45:07 1994
>> Return-Path: <ajones@ctron.com>
>> To: kerberos@MIT.EDU
>> Subject: cross-realm authentication
>> Date: Fri, 30 Sep 1994 09:20:21 -0400
>> From: Alexander Seth Jones <ajones@ctron.com>
>>
>> How have people gotten cross-realm authentication to work? I would assume
>> that users who wish to authenticate across realms must have principals in
>> both realms, but how does setting up machines work? Do machines have to be
>> in each other's realms as well? In other words, would a machine have to have
>> an rcmd service key for both realms in order for one user to authenticate to
>> the other machine in the different realm?
>>
>> I hope my question is clear. Could someone who has set this up and has it
>> working explain how to set things up.
>>
>> Thanks.
>>
>> Alex Jones
----- Begin Included Message -----
This question was asked:
> How do I do cross realm authentication. I didn't see any documentation on it
> with what I got from the kerberso distribution. What I want to do is have one
> machine (persian.it.wsu.edu) which belongs to realm WSU.EDU to be able to ask
> realm TEST.WSU.EDU for authentication from time to time. Is there any
> documentaiton on this? -- Dean
Using FOO.COM and BAR.COM as the realm names:
On FOO.COM add:
krbtgt/FOO.COM@BAR.COM
krbtgt/BAR.COM@FOO.COM
on BAR.COM add:
krbtgt/FOO.COM@BAR.COM
krbtgt/BAR.COM@FOO.COM
Make sure you get the same keys in both of the krbtgt/FOO.COM@BAR.COM
entries and the same key in both of the krbtgt/BAR.COM@FOO.COM entries.
I use the admin/krb5_edit ank subcommand. Since you can not set the
kvno when changing the passwords, make sure you don't make a mistake,
and change one of them twice. If so delete and redo the entries.
Make sure the krb.conf and krb.realms have both sets of servers.
You should then be able to get TGT tickets in the other realm. Klogind
in the BAR.COM will look for a .k5login file in the user HOME directory
with any entry like:
user@FOO.COM
which says user@FOO.COM is allowed to login here.
User only needs an entry in the FOO.COM KDC.
----- End Included Message -----
