cross realm trusts
Paul B. Henson
henson at acm.org
Thu Feb 5 17:58:45 EST 2015
In my ongoing saga of renaming our domain, I'm almost to the point of
bringing up a second set of kerberos servers for the new realm. As part of
the transition, ideally I would like to set up a trust between them so users
could authenticate to either realm and transparently access services in the
other.
If I understand correctly, I need to create the following two principles in
both realms:
krbtgt/CPP.EDU at CSUPOMONA.EDU
krbtgt/CSUPOMONA.EDU at CPP.EDU
and add the following to the krb5.conf so they talk directly rather than
trying to go hierarchically through EDU:
[capaths]
CSUPOMONA.EDU = {
CPP.EDU = .
}
CPP.EDU = {
CSUPOMONA.EDU = .
}
Both realms will have exactly the same set of users. Are these the only two
steps needed to allow a principal user at CSUPOMONA.EDU to directly access
services in the CPP.EDU realm transparently? Or is there something else I
need to do to allow transparency during the migration?
Thanks much.
More information about the Kerberos
mailing list