[33193] in Kerberos
Re: Kerberos cross-realm with AD
daemon@ATHENA.MIT.EDU (Brian Candler)
Tue Feb 8 05:07:39 2011
Date: Tue, 8 Feb 2011 10:07:32 +0000
From: Brian Candler <B.Candler@pobox.com>
To: Jean-Yves Avenard <jyavenard@gmail.com>
Message-ID: <20110208100732.GC2845@talktalkplc.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <AANLkTimDN5eY+ijURCkOrmmmJwqPT37KJWhS2=fzj=fE@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Feb 08, 2011 at 01:32:21PM +1100, Jean-Yves Avenard wrote:
> So in reference to authentication only.
>
> The krb5.conf on the FreeBSD machine doesn't need to be told about
> MEL.DOMAIN.COM whatsoever?
Correct.
On the client side: you need to know about the MEL.DOMAIN.COM (obviously),
but also the domain_realm rules to map the server's DNS domain to realm
M.DOMAIN.COM, and also the location of the KDCs for M.DOMAIN.COM (so that it
can contact the KDC to get the correct cross-realm ticket). Or you can
publish that info in the DNS using TXT and SRV records.
The server side needs only to know about M.DOMAIN.COM, and only needs a
keytab entry for the M.DOMAIN.COM KDC. The client will have already obtained
a ticket from the M.DOMAIN.COM KDC, encrypted with the correct key.
Regards,
Brian.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
