Cross realm special question

Greg Hudson ghudson at MIT.EDU
Tue Oct 25 10:04:24 EDT 2011


On 10/25/2011 02:39 AM, Sonja Benz wrote:
> Now, assume the user's password is stored in realm B.COM and the user at 
> host.other.com is only able to access KDC A. Is it possible to get 
> 
>         host.other.com: $ kinit principal at B.COM 
> 
> working?

I don't believe so, for two reasons:

* Cross-realm trust isn't a network communication path.  KDC A and KDC B
don't actually talk to each other; they just have shared keys.  If
host.other.com can't communicate with KDC B, it can't get tickets in
realm B, whether or not it can communicate with another KDC in the trust
graph.

* Cross-realm trust only applies to TGS requests (obtaining a service
ticket with your ticket-granting ticket).  Using Kerberos as a password
checker requires AS requests (getting an initial ticket).



More information about the Kerberos mailing list