kinit to a kdc having a cross-realm trust
Timo Veith
tv at rz-zw.fh-kl.de
Fri Nov 12 13:39:00 EST 2004
Hello kerberos subscribers,
the following question bothers a colleague of mine and me. We had a
little argument about this because we need to setup something like it at
work (Windows and MIT).
Is it possible to have a user who is defined in realm ONE.NET do a kinit
against the KDC of realm TWO.NET where he isn't defined but the two KDCs
having set up a cross-realm trust between them?
If I try this in a test setup, the KDC of realm TWO.NET says
kinit(v5): Client not found in Kerberos database while getting initial
credentials
As far as I understood the cross-realm mechanism, the questioned thing
isn't possible, because the user of realm ONE.NET has to have a tgt of
his own realm first. Only then he can get the krbtgt for realm TWO.COM.
Little question aside: Does the user get the krbtgt for the other realm
from his own KDC (ONE.NET) or does he get it from the foreign KDC
(TWO.NET)? I would say from his own, but I am not sure.
However, maybe there is some krb5.conf setting (or somewhere else) that
tells the KDC of realm TWO.NET to ask the KDC of realm ONE.NET for the
credentials?
TIA and kind regards,
Timo
More information about the Kerberos
mailing list