[domain_realm] question
Douglas E. Engert
deengert at anl.gov
Thu Feb 5 14:08:15 EST 2004
"Inger, Slav (S.B.)" wrote:
>
> Final question for today: is it explicitly disallowed for separate realms
> to map to a single DNS domain in [domain_realm] section?
Ususlly a server is only in one realm. The client machine will use
the [domain_realm] ti figure out what realm it is in, and request
a ticket for it from the server's realm. This might require the
user to get a cross realm TGT. This happens under the covers.
We have a
> situation where users belonging to separate realms are in the same DNS
> domain and cross-realm authentication for these users is a must.
The realm of the user has very little to do with the realm of the server.
Cross realm will get a ticket for the server in the server's realm.
But on the server you may have to add a .k5login file to the user's
home directory, indicating that a user from the other realm may use this local
account.
> When I
> tested this, Kerberos would get confused and deny cross-realm authentication
> requests.
This is not clear, any error messages?
> Just making sure I wasn't missing anything when I tried it. If
> this is currently not an option, some thought needs to be given to
> scalability issues Kerberos faces in large heterogenous environments.
I use cross realm every day. You must be missing something.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list