krb5.conf and cross-realm authentication
Douglas E. Engert
deengert at anl.gov
Thu Jan 15 14:50:23 EST 2004
O'Malley wrote:
>
> At our site we have principals (user accounts) in a Windows 2000 AD domain,
> lets call this realm WIN.AD. I have configured Kerberos on my workstation
> and can get my krbtgt from the AD using my account--so far so good.
>
> I have created a second realm for my servers, lets call this realm
> NOT.WIN.AD, where I have created "host", "telnet", and account principals.
> I can kinit and ktelnet between systems in the realm using the NOT.WIN.AD
> account principal (user1 at NOT.WIN.AD).
>
> I would like to use the WIN.AD accounts to access the NOT.WIN.AD resources.
> Can I use mappings in the krb5.conf [capaths] section to accomplish this?
Yes, we do that all the time. But you wil need to setup the cross realm keys,
See: http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
Section: "Setting Trust with a Kerberos Realm"
>
> I have already tried the following without success:
The capaths would not be needed in you case, as the default path
from NOT.WIN.AD is up to WIN.AD. But if the real realm names are
not directly related, they you would need the capaths.
>
> [capaths]
> NOT.WIN.AD = {
> WIN.AD = .
> }
> WIN.AD = {
> WIN.AD = .
> }
>
> thanks,
> ...Mike
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list