Question: want different default_realm for service and user principles

Dirk Pape pape at inf.fu-berlin.de
Thu Aug 12 02:37:54 EDT 2004 

Hello,

I want to do the following with two kerberos realms which trust each 
other:

first realm "FOO.ORG" holds only user principles, it is based on a 
Windows 2003 Server AD.

second realm "BAR.FOO.ORG" hold service principles for unix services, 
such as "host/domain at BAR.FOO.ORG" for all unix hosts running ssh.
We want to hold these principals in a MIT-kerb. based KDC, because we 
like to use the well known and well documented kadmin tool to remotely 
create service principles in that domain.

As I understand it will be possible to authenticate as "user at FOO.ORG" to 
a service running with a keytab for a service principle 
"service/domain at BAR.FOO.ORG" if both realms trust each other.

First question: is this correct and a reasonable scenario? (we could not 
yet test it because we did not yet set up the BAR.FOO.ORG domain).

If this works and is a reasonable approach, then we see the following 
problem from our tests.

let the [libdefaults] section in /etc/krb5.conf on the unix host running 
the kerberized ssh service contain "default_realm = BAR.FOO.ORG", then 
obtaining user tgts on login (via pam) or by "kinit user" on this host 
will fail, because it will try to get it from realm BAR.FOO.ORG.

on the other hand, if "default_realm = FOO.ORG" the ssh service and 
other service would not find the correct keytab entry because they look 
for "service/domain at FOO.ORG" instead of "service/domain at BAR.FOO.ORG".

For what I see, I need to specify somehow that SPNs and user PNs come 
from different realms in default.

Is this doable with some configuraton options on the unix host? (I 
already tried many things with the sections [domain_realm] and 
[appdefaults] but I could ot find a way)

I would appreciate every hint.

The other approach for our problem would be to find or implement an RPC 
on the windows server running AD, which like kadmin/kadmind enables 
admins to create SPNs remotely and transfer keytab securely to the 
service host.

last question: does anybody know such a daemon for windows 2003 server?

Thanks,
Dirk.

-- 
Dr. Dirk Pape (Leiter des Rechnerbetriebs)
FB Mathematik und Informatik der FU-Berlin
Takustr. 9, 14195 Berlin
Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190

More information about the Kerberos mailing list