[domain_realm] question

Douglas E. Engert deengert at anl.gov
Thu Feb 5 14:08:15 EST 2004



"Inger, Slav (S.B.)" wrote:
> 
> Final question for today:  is it explicitly disallowed for separate realms
> to map to a single DNS domain in [domain_realm] section? 

Ususlly a server is only in one realm. The client machine will use
the [domain_realm] ti figure out what realm it is in, and request
a ticket for it from the server's realm. This might require the
user to get a cross realm TGT. This happens under the covers. 
 
 We have a
> situation where users belonging to separate realms are in the same DNS
> domain and cross-realm authentication for these users is a must. 

The realm of the user has very little to do with the realm of the server. 
Cross realm will get a ticket for the server in the server's realm. 
But on the server you may have to add a .k5login file to the user's
home directory, indicating that a user from the other realm may use this local
account. 

> When I
> tested this, Kerberos would get confused and deny cross-realm authentication
> requests. 

This is not clear, any error messages? 

> Just making sure I wasn't missing anything when I tried it.  If
> this is currently not an option, some thought needs to be given to
> scalability issues Kerberos faces in large heterogenous environments.

I use cross realm every day. You must be missing something. 

> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list