[4411] in Kerberos
Re: krb.realms in K4
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Sat Dec 31 00:41:53 1994
To: kerberos@MIT.EDU
Date: Wed, 21 Dec 1994 09:19:15
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
mattp@apertus.com (Matt Perry) writes:
>I am trying to understand the role of the krb.realms file for the
>server, the client and the end-service in K4.
>
>Does the server's krb.realm file need to be migrated to each host with
>and end-service on it and each client which may need to use those
>end-services?
krb.realms provides a translation table between host or zone names and
the realms to which they belong. For example, if you have a Kerberized
telnet and you want to telnet to host.in.some.other.zone (assuming cross-
realm authentication has been set up between your realm and theirs), then
having a krb.realms file entry of the form
in.some.other.zone THEIR.REALM.NAME
or
host.in.some.other.zone THEIR.OTHER.REALM.NAME
(the second entry, being specific to the hostname, overrides the first)
allows the krb_realmofhost() function in V4 to find the right realm
name for that host, which you need in order to get the appropriate cross-
realm ticket.
A krb.realms file isn't strictly needed in all cases. For one thing,
it's unlikely that an application server will need to call krb_realmofhost(),
since it will get the client's realm name out of the ticket from the client.
However, if you need to get tickets once you're on the application server
(or if the server needs its own tickets for some reason), then you'll need
a krb.realms file there. Even if that's not the case, it's probably
easier to keep a copy there "just in case", rather than worry about
whether the machine has the file or not for those times when you do need it.
Also, if your zone name(s) correspond exactly to your realm name(s) (for
example, if all your hosts are whatever.foo.com and your zone is named
FOO.COM), then krb_realmofhost() can do the appropriate translation without
needing a krb.realms entry. Again, though, having one anyways doesn't hurt.
>Does the krb.conf file associate a realms with a server and
>the krb.realms file associate a host/end-service with a realm?
krb.conf serves two purposes: designating the "local realm" of a host
and listing the Kerberos server(s) for that and/or any other realm(s)
with which you need to authenticate.
>Is this example correct?
>
>host1 and host2 are both running service rcmd and are in REALM2
>
>host3 is running service rcmd in REALM1.
>
>All clients get thier tickets from server1 in REALM3.
>
>All machines are in the same domain foo.bar.edu.
>
>krb.conf
>REALM3
>REALM3 server1.foo.bar.edu admin server
If your clients intend to authenticate to host1 or host2, you'll also
need to list the Kerberos server(s) for REALM2 in krb.conf. Likewise,
if your clients need to authenticate to host3, you need to list the
Kerberos server(s) for REALM1. (As well as setting up the appropriate
cross-realm keys, of course...)
One other thing: your application servers will probably need an
appropriate krb.conf file set up, to identify the local realm name if
nothing else.
>krb.realms
>FOO.BAR.EDU REALM3
>host1.foo.bar.edu REALM2
>host2.foo.bar.edu REALM2
>host3.foo.bar.edu REALM1
That first line should be
foo.bar.edu REALM3
Note the leading dot - it's needed to indicate that it's a zone name vs.
being a hostname. The case for the first part of the line doesn't matter,
but realm names are case-sensitive.
Hope this helps...
-Shawn Mamros
E-mail to: mamros@ftp.com
