Cross-realm trust

Philippe Perrin philippeperrin at yahoo.com
Fri Feb 15 15:41:39 EST 2002 

"Tim Mooney" <mooney at dogbert.cc.ndsu.NoDak.edu> a écrit dans le message de
news: Pine.OSF.4.44.0202151249300.62473-100000 at dogbert.cc.ndsu.NoDak.edu...
> In regard to: Re: Cross-realm trust, Sam Hartman said (at 1:24pm on Feb
15,...:
>
> >>>>>> "Philippe" == Philippe Perrin <philippeperrin at yahoo.com> writes:
> >
> >    Philippe> Hello
> >    Philippe> I'm now willing to allow users authenticated in REALM1 to
use services of
> >    Philippe> REALM2. I configured everything as I think I should have,
and then I made a
> >    Philippe> user authenticate in REALM1, and used a telnet server in
REALM2. The only
> >    Philippe> way I found to make it work was to add a ~/.k5login file
containing
> >    Philippe> "user at REALM1" on the server.
> >    Philippe> How could I avoid writing such files for every user ? Can I
make this server
> >
> >That's how it should work.  Cross realm keys only enable
> >authentication between the two realms; they say nothing about
> >authorization.

OK, that's a clear answer. It's almost the conclusion I had come to.

> I asked basically this same question (why does cross realm require
> .k5login for each user) back in mid-September of 2000.  A fairly long
> thread evolved out of the question, with some great information by
> Ken Hornstein and others.

I've just gone through it : an interesting thread, thank you (I like the
example of the boss username added to the trusted realm...). Now I even
understand why the things are this way :)

> Philippe, the reason this is required is that Kerberos doesn't assume that
> the local account for bob (on a machine in REALM1) is the same person
> as bob at REALM2.  With cross realm, it could easily be the case that
> `bob at REALM2' should really map to `jimbob' on the local machine.
> That's why the .k5login is required.
>
> In my case (and apparently in yours) I *can* guarantee that usernames
> on machines always exactly match the principal, no matter what realm
> they're in (so bob at REALM2 should be able to log into the `bob' account
> on a machine that's in REALM1).

I'm actually running interoperability tests among different Kerberos
solutions (W2K, MIT, SEAM, Heimdal...). So it can be said that the usernames
of my realms match the policies of my choice.

> Ken Hornstein suggested looking into the k5userok() function.  See
> the thread in September of 2000 for more info.
>
> Tim

Now I know where to look if I want the name matching mechanisms to behave
like your "bob" examples (the k5userok() function), thank you. Did you try
to alter this function in the way you described in September 2000 (with LDAP
ACLs) ?

Philippe

More information about the Kerberos mailing list