cross realm trusts

Paul B. Henson henson at acm.org
Thu Feb 5 17:58:45 EST 2015


In my ongoing saga of renaming our domain, I'm almost to the point of
bringing up a second set of kerberos servers for the new realm. As part of
the transition, ideally I would like to set up a trust between them so users
could authenticate to either realm and transparently access services in the
other.

If I understand correctly, I need to create the following two principles in
both realms:

krbtgt/CPP.EDU at CSUPOMONA.EDU
krbtgt/CSUPOMONA.EDU at CPP.EDU

and add the following to the krb5.conf so they talk directly rather than
trying to go hierarchically through EDU:

[capaths]
CSUPOMONA.EDU = {
	CPP.EDU = .
}
CPP.EDU = {
	CSUPOMONA.EDU = .
}

Both realms will have exactly the same set of users. Are these the only two
steps needed to allow a principal user at CSUPOMONA.EDU to directly access
services in the CPP.EDU realm transparently? Or is there something else I
need to do to allow transparency during the migration?

Thanks much.




More information about the Kerberos mailing list