Cross Realm AD<->MIT Trust, with realm name clash?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Thu Feb 2 17:44:36 EST 2006
>The subject largely says it all, I have a Unix MIT Realm and a
>Windows AD Realm. Both have the same realm name, which for most things
>isn't at all a problem (the passwords a sync'd anyway).
I know this doesn't seem like a problem ... except that when you want to
do anything useful (e.g., cross realm) you realize it's impossible, and
you're in real trouble. Sadly, you're not the first person I've heard of
in this situation ... and I believe they ended up changing one of the
realm names.
I don't believe it's possible to do what you describe; cross realm is
driven mostly by the client; the client figures out which KDCs they
need to talk to and then talks to each KDC in turn, getting the
cross-realm TGT. The cross-realm TGT is generated by the originating
realm, and interpreted by the destination realm. The problem is that
the client will see that it needs to talk to realm FOO, which has the
same name as the client principal's realm, and thus it will never
initiate cross-realm.
The only possibly gross thing I could think of doing would be to make
the TGTs have the same _key_ ... that way a TGT acquired in one realm
could be used in another realm. Of course, your problem then is
directing an application to query the correct realm when it wants to
get a service ticket.
--Ken
More information about the Kerberos
mailing list