AW: Proof of authenticity of TGT
Douglas E. Engert
deengert at anl.gov
Wed Aug 23 11:23:52 EDT 2006
Ken Raeburn wrote:
> On Aug 23, 2006, at 3:43, Olfmatic wrote:
>
>>I understand your warnings. But it is not possible to add the
>>service to the realm, because it is running on a host that is not
>>in the same windows domain and not in the same kerberos realm.
Not true at least for Unix hosts. A service is "in a realm"
be virtue of possessing the key of a service principal registered
in the realm. The same service could accept tickets issued by
multiple independent realms, if it had entries in its keytab
for the principals.
Now if the service is running on window, and you are using the Windows
Kerberos it might not be true, because windows does more then Kerberos
authentication.
> To
>>be more precise, it is not running in a kerberos realm at all and
>>thus is not really a kerberos service.
Then why are you trying to use Kerberos?
>
>
> Ken
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list