some cross-realm trust questions
Nicolas Williams
Nicolas.Williams at oracle.com
Mon Dec 27 11:04:26 EST 2010
On Mon, Dec 27, 2010 at 05:20:19AM +0000, Victor Sudakov wrote:
> Nicolas Williams wrote:
> > > 1. If a cross-realm trust is configured, do the realms' KDCs ever have to
> > > exchange any traffic between each other?
>
> > No, they do not.
>
> That's great, but at least at the initialization stage, how is a
> shared key for the corresponding krbtgt principals transferred between
> the two KDCs?
>
> The Windows "New Trust" wizard just asks for a password and never
> offers to export a keytab or anything.
True, but this is a step that must be executed locally on each realm
(with the same exact password). There's no standard protocol to help
realms agree on shared x-realm keys, not yet anyways.
Nico
--
More information about the Kerberos
mailing list