Question about (no-)cross-realm trust
Greg Hudson
ghudson at mit.edu
Wed Sep 18 13:32:05 EDT 2019
On 9/17/19 10:22 PM, Vipin Rathor wrote:
> I am trying to develop an application which can talk to a kerberized
> service running in a remote realm. I am aware that this would ideally
> require having trust (one way or two way) between my current realm and
> remote realm. Additionally, we want to avoid having trust as a requirement
> (the folks maintaining remote realm are quite 'possessive' about their
> realm).
Active Directory uses the term "trust" to describe cross-realm
relationships, but there is no requirement for trust between Kerberos 5
realms which share cross-realm keys. Application servers do need to be
careful to grant an appropriate level of privilege (which might mean no
access at all) to clients in foreign realms.
(I can't tell from the question whether this is a primarily Microsoft
environment or whether the environment uses Heimdal or MIT krb5.)
> What if my application can get two TGTs from both the realms and instead of
> getting a cross-realm TGS, it can use the respective TGTs to talk to
> respective realms?
Yes, an application can have two credential caches containing
credentials for different client principals. These caches can be
managed individually, or as part of a cache collection:
http://web.mit.edu/kerberos/krb5-latest/doc/basic/ccache_def.html#collections-of-caches
More information about the Kerberos
mailing list