Cross realm authentication
CJ Keist
cjay at engr.colostate.edu
Mon Aug 18 12:59:53 EDT 2003
Hello,
Reading the docs on cross realm authentication is making me go
crossed eyed ;). I'll try my best to explain what it is I'm wanting to
do with cross realm authentication.
We have two realms 1) COLOSTATE.EDU and 2) ENGR.COLOSTATE.EDU (my
realm). The top realm is going to house just user principals with
passwords, and my realm will house just my host principals. So what I
want to happen is when a user tries to login to one of my workstations
it will go to my KDC, my KDC will say I don't know this user so will
pass it on to COLOSTATE.EDU KDC server. The COLOSTATE.EDU KDC will say
yes I know this user and then pass the authentication on down to my KDC
and then on to the client so the user will be able to login.
Reason I have to do this is that the Network guys for CSU don't want me
to login to their KDC server, and they don't want to enter in all my
host principals. So we're trying to find a work around.
Here is what my krb5.conf file looks like:
# krb5.conf template
#
[libdefaults]
default_realm = ENGR.COLOSTATE.EDU
[realms]
ENGR.COLOSTATE.EDU = {
kdc = kerberos.engr.colostate.edu
admin_server = kerberos.engr.colostate.edu
}
COLOSTATE.EDU = {
kdc = kdc1.KERBEROS.ColoState.EDU:88
admin_server = kdc1.KERBEROS.ColoState.EDU:749
default_domain = kerberos.colostate.edu
}
[capaths]
ENGR.COLOSTATE.EDU = {
COLOSTATE.EDU = .
}
[domain_realm]
.engr.colostate.edu = ENGR.COLOSTATE.EDU
Can anyone see what I'm doing wrong?
------------------------------------------------------------------------
---------------------------
C. J. Keist Email: cj.keist at engr.colostate.edu
UNIX/Network Manager Phone: 970-491-0630
Engineering Network Services Fax: 970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301
All I want is a chance to prove 'Money can't buy happiness'"
More information about the Kerberos
mailing list