Kerberos cross-realm with AD

Brian Candler B.Candler at pobox.com
Tue Feb 8 05:07:32 EST 2011


On Tue, Feb 08, 2011 at 01:32:21PM +1100, Jean-Yves Avenard wrote:
> So in reference to authentication only.
> 
> The krb5.conf on the FreeBSD machine doesn't need to be told about
> MEL.DOMAIN.COM whatsoever?

Correct.

On the client side: you need to know about the MEL.DOMAIN.COM (obviously),
but also the domain_realm rules to map the server's DNS domain to realm
M.DOMAIN.COM, and also the location of the KDCs for M.DOMAIN.COM (so that it
can contact the KDC to get the correct cross-realm ticket).  Or you can
publish that info in the DNS using TXT and SRV records.

The server side needs only to know about M.DOMAIN.COM, and only needs a
keytab entry for the M.DOMAIN.COM KDC. The client will have already obtained
a ticket from the M.DOMAIN.COM KDC, encrypted with the correct key.

Regards,

Brian.



More information about the Kerberos mailing list