[7674] in Kerberos
Re: Cross-Realm in Kerberos 4
daemon@ATHENA.MIT.EDU (eric siebert)
Thu Jul 25 18:03:41 1996
To: kerberos@MIT.EDU
Date: Thu, 25 Jul 1996 13:45:51 GMT
From: esiebert@netcom.com (eric siebert)
eric siebert (esiebert@netcom.com) wrote:
: i'm trying to understand how cross-realm authentication works in
: Kerberos v4. for example, if i have two servers, one for REALM1
: and another for REALM2, and two clients hostA in REALM1 and
: hostB in REALM2, what do i need to do to get something like
: a kerberizes rsh to allow a user authenticated on hsotA in
: REALM1 to be able to rsh to hostB? i've tried a number of things
: but the specifics seem to be eluding me :)
okay, i got some good advice (thanks, Erick) and seem to be on the
way, but i've come across an interesting problem. most of the
systems i'm using are multi-homed.
+---+ ethernet +---+
|KS1|------------|KC1| KS1 - kerberos v4 server for realm #1
+---+ +---+ KC1 - client in realm #1
\ tokrng / KS2 - kerberos v4 server for realm #2
---------
|
+---+
|KS2|
+---+
when i try something like an "rsh" from KC1 to KS2, i get
an "network address" error from krb_rd_req. it looks like
the ticket contains KC1's hostname (which corresponds to the
ethernet interface) and krb_rd_req compares this to the
IP address it got the ticket from (which corresponds to
the TR address) and decides this is a bad thing. is this
a known limitation? am i missing some patches? would it help
if i could migrate KS2 to Kerb v5 (i can't migrate KS1
'cause its part of a delivered product)?
any suggestions?
eric siebert
esiebert@netcom.com
--
