Is [capaths] section necessary for cross-realm kerberos auth?

pratyush parimal pratyush.parimal at gmail.com
Fri Aug 25 11:38:53 EDT 2017


Hi all,

I'm trying to setup cross-realm between a KDC in EXAMPLE.COM (containing my
users) to a KDC in HADOOP.COM (containing my services).

I read from manuals (like the ones on
https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/capaths.html
  and
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-kerberos-crossrealm.html)
  that you have to 2 things in order to achieve this:

(1) add a "trust" principal called krbtgt/HADOOP.COM at EXAMPLE.COM to both
the KDC's.
(2) add a "capaths" section to the EXAMPLE.COM KDC like so:

[capaths]
 HADOOP.COM = {
  EXAMPLE.COM = .
 }

However, in practice I found that my setup works even without step (2). I'm
wondering if the "capaths" is deprecated or something? Or is it needed for
setups that are more complicated in some way?

Thanks in advance!
Pratyush Parimal.


More information about the Kerberos mailing list