Different realms
Robbie Harwood
rharwood at redhat.com
Fri Jan 26 07:55:25 EST 2018
"Imanuel Greenfeld" <imanuel.greenfeld1 at ntlworld.com> writes:
> I have 2 domains which there is no trust between them.
>
> I'm running a process on Domain 1. This needs to submit HTTP rest
> request to Domain 2 which the KDC is also on the same domain
> (i.e. domain 2).
What does "domain" mean here? Do you have two realms (A and B), with
two machines (machine_a in A, and machine_b in B), and two services
(service_a on machine_a, and service_b on machine_b)?
> I have keytab (for the service account on Domain 2) and kerb5.conf
> with the details of the two realms.
So if I understand correctly: on machine_b, you have a keytab for
service_b. And krb5.conf knows the KDCs and such for both A and B.
> I found a way to incorporate the keytab into the HTTP request in Java but
> not in C/C++.
I lose you here. It sounds like you're sending the keytab as part of
the HTTP request? I'm not overly familiar with the Java bindings, but
this isn't something one really wants to be doing in Kerberos.
> I know there are functions such as krb5_get_init_creds_keytab but I do
> not know how to achieve the same in C/C++ (as I did in Java). So when
> I have the keytab, how do I incorporate this to the HTTP header ?
You shouldn't be passing credentials around for security reasons, and
you shouldn't be putting thins of variable length in headers.
What is the actual, higher level thing you are trying to accomplish?
Thanks,
--Robbie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20180126/059393fb/attachment.bin
More information about the Kerberos
mailing list