Cross-realm authentication?

Douglas E. Engert deengert at anl.gov
Wed May 19 17:37:42 EDT 2004 


Derek Harkness wrote:
> 
> I've read a bit about cross-realm authentication and even kind of have
> it working but not quite the way I want.  So my question is.  Is what I
> want possible.
> 
> I currently have two realms ITS and UMD I want all my users to be in
> UMD and all my servers and services in ITS.  In the setup I currently
> have if I log into UMD and then use a kerberized telnet to server1 in
> ITS I get the proper tickets but get authorization denied unless I have
> a .k5login in my home directory.  This isn't what I want.

Sounds almost like what we have. All the users are in, a Windows
AD, and most of the unix boxes are in MIT KDC based realm. 
We have a local mod to the krb5 libs that will accept users from
either realm  if they don't have a .k5login file. (If they do have a 
.k5login, then that is used.)

Sounds like we could use Sam's patch for bug #957 in the next release.    

> 
> I want user at UMD to be able to access anything in the ITS realm.  But
> user at ITS should not be able access anything UMD.  The reason for this
> is UMD is currently outside my control and I simply want to use it for
> authentication.  I want a one way trust basically.

But note that if UMD adds a user, and you happen to have a local user
on your machine with the samename, thier user will be able to access 
your local account. So you should be using some registry like Uniqname
which I assume you are, as Uniqname came out if UMich.   


> 
> Thanks,
> Derek
> 
>   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>                  Name: PGP.sig
>    PGP.sig       Type: application/pgp-signature
>              Encoding: 7bit
>           Description: This is a digitally signed message part
> 
>   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list