Question about (no-)cross-realm trust

Vipin Rathor v.rathor at gmail.com
Thu Sep 19 13:38:18 EDT 2019


Thanks Greg for clarifying. Good to know that 'trust' is specific to MS AD.
Actually the "1.2. Cross-Realm Operation
<https://tools.ietf.org/html/rfc4120#section-1.2>" section in RFC 4120 was
throwing me off.
I also found & read the memo [RFC-5868] Problem Statement on the
Cross-Realm Operation of Kerberos <https://tools.ietf.org/html/rfc5868>
which discusses the problems with cross-realm operations.

Oh and my question was related to MIT KDC and FreeIPA.
Thanks again, really appreciate it!

Regards,
VR

On Wed, Sep 18, 2019 at 10:32 AM Greg Hudson <ghudson at mit.edu> wrote:

> On 9/17/19 10:22 PM, Vipin Rathor wrote:
> > I am trying to develop an application which can talk to a kerberized
> > service running in a remote realm. I am aware that this would ideally
> > require having trust (one way or two way) between my current realm and
> > remote realm. Additionally, we want to avoid having trust as a
> requirement
> > (the folks maintaining remote realm are quite 'possessive' about their
> > realm).
>
> Active Directory uses the term "trust" to describe cross-realm
> relationships, but there is no requirement for trust between Kerberos 5
> realms which share cross-realm keys.  Application servers do need to be
> careful to grant an appropriate level of privilege (which might mean no
> access at all) to clients in foreign realms.
>
> (I can't tell from the question whether this is a primarily Microsoft
> environment or whether the environment uses Heimdal or MIT krb5.)
>
> > What if my application can get two TGTs from both the realms and instead
> of
> > getting a cross-realm TGS, it can use the respective TGTs to talk to
> > respective realms?
>
> Yes, an application can have two credential caches containing
> credentials for different client principals.  These caches can be
> managed individually, or as part of a cache collection:
>
>
> http://web.mit.edu/kerberos/krb5-latest/doc/basic/ccache_def.html#collections-of-caches
>


More information about the Kerberos mailing list