Is [capaths] section necessary for cross-realm kerberos auth?

Greg Hudson ghudson at mit.edu
Fri Aug 25 12:00:55 EDT 2017


On 08/25/2017 11:38 AM, pratyush parimal wrote:
> (2) add a "capaths" section to the EXAMPLE.COM KDC like so:
> 
> [capaths]
>  HADOOP.COM = {
>   EXAMPLE.COM = .
>  }
> 
> However, in practice I found that my setup works even without step (2). I'm
> wondering if the "capaths" is deprecated or something? Or is it needed for
> setups that are more complicated in some way?

capaths are generally not required when there are only two realms.
HADOOP.COM can safely assume that EXAMPLE.COM is qualified to
authenticate users in its own realm.  capaths would be required if
authentication between the two realms went through a third realm which
was not hierarchically related to the two realms.

The capaths example above does (I believe) have the modest effect of
preventing a hypothetical COM realm from acting as an authentication
intermediary between HADOOP.COM and EXAMPLE.COM.  But of course there
will never be a legitimate Kerberos realm named COM.


More information about the Kerberos mailing list