Cross realm authentication

Douglas E. Engert deengert at
Mon Aug 18 13:51:55 EDT 2003

CJ Keist wrote:
> Hello,
>       Reading the docs on cross realm authentication is making me go
> crossed eyed ;).  I'll try my best to explain what it is I'm wanting to
> do with cross realm authentication.
> We have two realms 1) COLOSTATE.EDU and 2) ENGR.COLOSTATE.EDU (my
> realm).  The top realm is going to house just user principals with
> passwords, and my realm will house just my host principals.  So what I
> want to happen is when a user tries to login to one of my workstations
> it will go to my KDC, 

The user should login as user at COLORADO.EDU, then the client will
contact the COLORADO.EDU realm directly. Later when trying to get
a host ticket the lib will get the crossrealm TGT then the service ticket.

> my KDC will say I don't know this user so will
> pass it on to COLOSTATE.EDU KDC server. 

This would be a referral, which W2K supports, but not nessesarily 
any other the Kerberos code yet.  

> The COLOSTATE.EDU KDC will say
> yes I know this user and then pass the authentication on down to my KDC

It would return a krbtgt/COLOSTATE.EDU at COLOSTATE.EDU

Then later the client would use the above tgt to get a tgt for:

Then use this to get the :


> and then on to the client so the user will be able to login.
> Reason I have to do this is that the Network guys for CSU don't want me
> to login to their KDC server, and they don't want to enter in all my
> host principals.  So we're trying to find a work around.
> Here is what my krb5.conf file looks like:
> # krb5.conf template
> #
> [libdefaults]
>          default_realm = ENGR.COLOSTATE.EDU
> [realms]
>          ENGR.COLOSTATE.EDU = {
>                  kdc =
>                  admin_server =
>          }
>          COLOSTATE.EDU = {
>                  kdc = kdc1.KERBEROS.ColoState.EDU:88
>                  admin_server = kdc1.KERBEROS.ColoState.EDU:749
>                  default_domain =
>          }
> [capaths]
>          ENGR.COLOSTATE.EDU = {
>                  COLOSTATE.EDU = .
>          }

You really don't need the [capaths] as the default is to walk the 
realms, and  ENGR.COLOSTATE.EDU would be next to COLOSTATE.EDU

If you do have the [capaths] you should have both directions but
that should not be a problem. 

The [capaths] was added to allow not obvious paths, like 
> [domain_realm]
>   Can anyone see what I'm doing wrong?
> ------------------------------------------------------------------------
> ---------------------------
> C. J. Keist                     Email: cj.keist at
> UNIX/Network Manager            Phone: 970-491-0630
> Engineering Network Services    Fax:   970-491-5569
> College of Engineering, CSU
> Ft. Collins, CO 80523-1301
> All I want is a chance to prove 'Money can't buy happiness'"
> ________________________________________________
> Kerberos mailing list           Kerberos at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list