Question: want different default_realm for service and user principles
Dirk Pape
pape at inf.fu-berlin.de
Fri Aug 13 02:31:48 EDT 2004
Hello,
In article <411B1ED7.7B74EB15 at india.hp.com>,
Kiran Kumar M <mkiran at india.hp.com> wrote:
> [libdefaults]
> default_realm = FOO.ORG # This will ensure that we'll go to FOO.ORG to get
> tickets for users
> .....
>
> [realms]
> FOO.ORG = {
> kdc = svr.foo.org:88
> admin_server = svr.foo.org
> }
> BAR.FOO.ORG = {
> kdc = svr.bar.foo.org:88
> admin_server = svr.bar.foo.org
> }
> .....
> [domain_realm]
> .your.domain.org = BAR.FOO.ORG
> # This will ensure that principals of type service/xyz.your.domain.org will
> be resolved to belong to BAR.FOO.ORG
> ...
> [capaths]
> BAR.FOO.ORG = {
> FOO.ORG = .
> }
> FOO.ORG = {
> BAR.FOO.ORG = .
> }
Thanks for help but I already tried this. The problem with this config
is that the services (ssh, libapache-kerb-auth, etc.) itself on start
will not find their entry in the keytab which will authorize them to do
authetication of users. They use the default_realm as extension to
identify the SPN of the keytab entry.
Or is the [capatchs] section doing the magic so that kerberos libs try
other (trusted) realms' names for finding a key?
Dirk.
--
Dr. Dirk Pape (Leiter des Rechnerbetriebs)
FB Mathematik und Informatik der FU-Berlin
Takustr. 9, 14195 Berlin
Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190
More information about the Kerberos
mailing list