krb5.conf and cross-realm authentication
John Hascall
john at iastate.edu
Thu Jan 15 14:22:46 EST 2004
> I would like to use the WIN.AD accounts to access the NOT.WIN.AD resources.
> Can I use mappings in the krb5.conf [capaths] section to accomplish this?
If they are hierarchical like NOT.WIN.AD and WIN.AD
I don't think you need any capaths, you just need to
create the principal krbtgt/NOT.WIN.AD at WIN.AD with
same key in both KDCs.
At least that seems to work for me:
pvtest> klist
Ticket cache: FILE:/var/dss/kerberos/tkt/v5_3ff97c17073ec9
Default principal: john at IASTATE.EDU
Valid starting Expires Service principal
01/15/04 08:29:39 01/15/04 18:29:37 krbtgt/IASTATE.EDU at IASTATE.EDU
01/15/04 08:45:02 01/15/04 18:29:37 krbtgt/MIDDLE-EARTH.IASTATE.EDU at IASTATE.EDU
01/15/04 08:45:13 01/15/04 18:29:37 host/rhovanion.ait.iastate.edu at MIDDLE-EARTH.IASTATE.EDU
01/15/04 12:53:45 01/15/04 18:29:37 host/lambda.ait.iastate.edu at IASTATE.EDU
More information about the Kerberos
mailing list