Cross realm authentication

CJ Keist cjay at
Mon Aug 18 12:59:53 EDT 2003

      Reading the docs on cross realm authentication is making me go  
crossed eyed ;).  I'll try my best to explain what it is I'm wanting to  
do with cross realm authentication.
We have two realms 1) COLOSTATE.EDU and 2) ENGR.COLOSTATE.EDU (my  
realm).  The top realm is going to house just user principals with  
passwords, and my realm will house just my host principals.  So what I  
want to happen is when a user tries to login to one of my workstations  
it will go to my KDC, my KDC will say I don't know this user so will  
pass it on to COLOSTATE.EDU KDC server.  The COLOSTATE.EDU KDC will say  
yes I know this user and then pass the authentication on down to my KDC  
and then on to the client so the user will be able to login.
Reason I have to do this is that the Network guys for CSU don't want me  
to login to their KDC server, and they don't want to enter in all my  
host principals.  So we're trying to find a work around.

Here is what my krb5.conf file looks like:

# krb5.conf template
         default_realm = ENGR.COLOSTATE.EDU

                 kdc =
                 admin_server =
         COLOSTATE.EDU = {
                 kdc = kdc1.KERBEROS.ColoState.EDU:88
                 admin_server = kdc1.KERBEROS.ColoState.EDU:749
                 default_domain =

                 COLOSTATE.EDU = .

[domain_realm] = ENGR.COLOSTATE.EDU

  Can anyone see what I'm doing wrong?


C. J. Keist                     Email: cj.keist at
UNIX/Network Manager            Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'"

More information about the Kerberos mailing list