Question: want different default_realm for service and user

[Kiran Kumar M]

I don't know if I missed something here but I don't see any issue
with the approach of setting "default_realm = FOO.ORG"
In this case your Kerberos Config file will look like this...

[libdefaults]
default_realm = FOO.ORG  # This will ensure that we'll go to FOO.ORG to get
tickets for users
.....

[realms]
        FOO.ORG = {
           kdc =  svr.foo.org:88
           admin_server = svr.foo.org
}
        BAR.FOO.ORG = {
           kdc =  svr.bar.foo.org:88
           admin_server = svr.bar.foo.org
}
.....
[domain_realm]
.your.domain.org = BAR.FOO.ORG
# This will ensure that principals of type service/xyz.your.domain.org will
be resolved to belong to BAR.FOO.ORG
...
[capaths]
    BAR.FOO.ORG = {
            FOO.ORG = .
    }
    FOO.ORG = {
            BAR.FOO.ORG = .
    }


Jeffrey Altman wrote:

> The approach is a valid way of doing things.
> On the Unix system you will need to use more than one configuration
> file and specify which one to use via the KRB5_CONFIG environment
> variable.
>
> Jeffrey Altman
>
> Dirk Pape wrote:
>
> > Hello,
> >
> > I want to do the following with two kerberos realms which trust each
> > other:
> >
> > first realm "FOO.ORG" holds only user principles, it is based on a
> > Windows 2003 Server AD.
> >
> > second realm "BAR.FOO.ORG" hold service principles for unix services,
> > such as "host/domain at BAR.FOO.ORG" for all unix hosts running ssh.
> > We want to hold these principals in a MIT-kerb. based KDC, because we
> > like to use the well known and well documented kadmin tool to remotely
> > create service principles in that domain.
> >
> > As I understand it will be possible to authenticate as "user at FOO.ORG" to
> > a service running with a keytab for a service principle
> > "service/domain at BAR.FOO.ORG" if both realms trust each other.
> >
> > First question: is this correct and a reasonable scenario? (we could not
> > yet test it because we did not yet set up the BAR.FOO.ORG domain).
> >
> > If this works and is a reasonable approach, then we see the following
> > problem from our tests.
> >
> > let the [libdefaults] section in /etc/krb5.conf on the unix host running
> > the kerberized ssh service contain "default_realm = BAR.FOO.ORG", then
> > obtaining user tgts on login (via pam) or by "kinit user" on this host
> > will fail, because it will try to get it from realm BAR.FOO.ORG.
> >
> > on the other hand, if "default_realm = FOO.ORG" the ssh service and
> > other service would not find the correct keytab entry because they look
> > for "service/domain at FOO.ORG" instead of "service/domain at BAR.FOO.ORG".
> >
> > For what I see, I need to specify somehow that SPNs and user PNs come
> > from different realms in default.
> >
> > Is this doable with some configuraton options on the unix host? (I
> > already tried many things with the sections [domain_realm] and
> > [appdefaults] but I could ot find a way)
> >
> > I would appreciate every hint.
> >
> > The other approach for our problem would be to find or implement an RPC
> > on the windows server running AD, which like kadmin/kadmind enables
> > admins to create SPNs remotely and transfer keytab securely to the
> > service host.
> >
> > last question: does anybody know such a daemon for windows 2003 server?
> >
> > Thanks,
> > Dirk.
> >
>
> --
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot edu