Question: want different default_realm for service and user principles

Jeffrey Altman jaltman2 at nyc.rr.com
Thu Aug 12 02:52:55 EDT 2004 

The approach is a valid way of doing things.
On the Unix system you will need to use more than one configuration
file and specify which one to use via the KRB5_CONFIG environment
variable.

Jeffrey Altman


Dirk Pape wrote:

> Hello,
> 
> I want to do the following with two kerberos realms which trust each 
> other:
> 
> first realm "FOO.ORG" holds only user principles, it is based on a 
> Windows 2003 Server AD.
> 
> second realm "BAR.FOO.ORG" hold service principles for unix services, 
> such as "host/domain at BAR.FOO.ORG" for all unix hosts running ssh.
> We want to hold these principals in a MIT-kerb. based KDC, because we 
> like to use the well known and well documented kadmin tool to remotely 
> create service principles in that domain.
> 
> As I understand it will be possible to authenticate as "user at FOO.ORG" to 
> a service running with a keytab for a service principle 
> "service/domain at BAR.FOO.ORG" if both realms trust each other.
> 
> First question: is this correct and a reasonable scenario? (we could not 
> yet test it because we did not yet set up the BAR.FOO.ORG domain).
> 
> If this works and is a reasonable approach, then we see the following 
> problem from our tests.
> 
> let the [libdefaults] section in /etc/krb5.conf on the unix host running 
> the kerberized ssh service contain "default_realm = BAR.FOO.ORG", then 
> obtaining user tgts on login (via pam) or by "kinit user" on this host 
> will fail, because it will try to get it from realm BAR.FOO.ORG.
> 
> on the other hand, if "default_realm = FOO.ORG" the ssh service and 
> other service would not find the correct keytab entry because they look 
> for "service/domain at FOO.ORG" instead of "service/domain at BAR.FOO.ORG".
> 
> For what I see, I need to specify somehow that SPNs and user PNs come 
> from different realms in default.
> 
> Is this doable with some configuraton options on the unix host? (I 
> already tried many things with the sections [domain_realm] and 
> [appdefaults] but I could ot find a way)
> 
> I would appreciate every hint.
> 
> The other approach for our problem would be to find or implement an RPC 
> on the windows server running AD, which like kadmin/kadmind enables 
> admins to create SPNs remotely and transfer keytab securely to the 
> service host.
> 
> last question: does anybody know such a daemon for windows 2003 server?
> 
> Thanks,
> Dirk.
> 

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list