Cross realm authentication
CJ Keist
cjay at engr.colostate.edu
Mon Aug 18 15:16:06 EDT 2003
If I understand your message here, then Kerberos right now is not
capable of handling this setup. In that a master realm that holds just
user principals, with sub realms holding host principals cannot
authenticate a user logging into a client machine in one of the sub
realms?
On Monday, August 18, 2003, at 11:51 AM, Douglas E. Engert wrote:
>
>
> CJ Keist wrote:
>>
>> Hello,
>> Reading the docs on cross realm authentication is making me go
>> crossed eyed ;). I'll try my best to explain what it is I'm wanting
>> to
>> do with cross realm authentication.
>> We have two realms 1) COLOSTATE.EDU and 2) ENGR.COLOSTATE.EDU (my
>> realm). The top realm is going to house just user principals with
>> passwords, and my realm will house just my host principals. So what I
>> want to happen is when a user tries to login to one of my workstations
>> it will go to my KDC,
>
> The user should login as user at COLORADO.EDU, then the client will
> contact the COLORADO.EDU realm directly. Later when trying to get
> a host ticket the lib will get the crossrealm TGT then the service
> ticket.
>
In this case wouldn't the COLORADO.EDU KDC have to have the client
machine host principal?
>> my KDC will say I don't know this user so will
>> pass it on to COLOSTATE.EDU KDC server.
>
> This would be a referral, which W2K supports, but not nessesarily
> any other the Kerberos code yet.
>
>> The COLOSTATE.EDU KDC will say
>> yes I know this user and then pass the authentication on down to my
>> KDC
>
> It would return a krbtgt/COLOSTATE.EDU at COLOSTATE.EDU
>
> Then later the client would use the above tgt to get a tgt for:
>
> krbtgt/ENGR.COLOSTATE.EDU at COLOSTATE.EDU
>
> Then use this to get the :
>
> host/host.engr.colorado.edu at ENGR.COLOSTATE.EDU
>
>> and then on to the client so the user will be able to login.
>> Reason I have to do this is that the Network guys for CSU don't want
>> me
>> to login to their KDC server, and they don't want to enter in all my
>> host principals. So we're trying to find a work around.
>>
>> Here is what my krb5.conf file looks like:
>>
>> # krb5.conf template
>> #
>> [libdefaults]
>> default_realm = ENGR.COLOSTATE.EDU
>>
>> [realms]
>> ENGR.COLOSTATE.EDU = {
>> kdc = kerberos.engr.colostate.edu
>> admin_server = kerberos.engr.colostate.edu
>> }
>> COLOSTATE.EDU = {
>> kdc = kdc1.KERBEROS.ColoState.EDU:88
>> admin_server = kdc1.KERBEROS.ColoState.EDU:749
>> default_domain = kerberos.colostate.edu
>> }
>>
>> [capaths]
>> ENGR.COLOSTATE.EDU = {
>> COLOSTATE.EDU = .
>> }
>
>
> You really don't need the [capaths] as the default is to walk the
> realms, and ENGR.COLOSTATE.EDU would be next to COLOSTATE.EDU
>
> If you do have the [capaths] you should have both directions but
> that should not be a problem.
>
> The [capaths] was added to allow not obvious paths, like
> XYZ.EDU to ABC.GOV
>
>>
>> [domain_realm]
>> .engr.colostate.edu = ENGR.COLOSTATE.EDU
>>
>> Can anyone see what I'm doing wrong?
>>
>> ----------------------------------------------------------------------
>> --
>> ---------------------------
>>
>> C. J. Keist Email: cj.keist at engr.colostate.edu
>> UNIX/Network Manager Phone: 970-491-0630
>> Engineering Network Services Fax: 970-491-5569
>> College of Engineering, CSU
>> Ft. Collins, CO 80523-1301
>>
>> All I want is a chance to prove 'Money can't buy happiness'"
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
------------------------------------------------------------------------
---------------------------
C. J. Keist Email: cj.keist at engr.colostate.edu
UNIX/Network Manager Phone: 970-491-0630
Engineering Network Services Fax: 970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301
All I want is a chance to prove 'Money can't buy happiness'"
More information about the Kerberos
mailing list