On Monday, August 18, 2003, at 11:51 AM, Douglas E. Engert wrote:
In this case wouldn't the COLORADO.EDU KDC have to have the client machine host principal?
CJ Keist wrote:
Hello,
Reading the docs on cross realm authentication is making me go
crossed eyed ;). I'll try my best to explain what it is I'm wanting to
do with cross realm authentication.
We have two realms 1) COLOSTATE.EDU and 2) ENGR.COLOSTATE.EDU (my
realm). The top realm is going to house just user principals with
passwords, and my realm will house just my host principals. So what I
want to happen is when a user tries to login to one of my workstations
it will go to my KDC,
The user should login as [EMAIL PROTECTED], then the client will
contact the COLORADO.EDU realm directly. Later when trying to get
a host ticket the lib will get the crossrealm TGT then the service ticket.
------------------------------------------------------------------------ ---------------------------my KDC will say I don't know this user so will pass it on to COLOSTATE.EDU KDC server.
This would be a referral, which W2K supports, but not nessesarily any other the Kerberos code yet.
The COLOSTATE.EDU KDC will say
yes I know this user and then pass the authentication on down to my KDC
It would return a krbtgt/[EMAIL PROTECTED]
Then later the client would use the above tgt to get a tgt for:
krbtgt/[EMAIL PROTECTED]
Then use this to get the :
host/[EMAIL PROTECTED]
and then on to the client so the user will be able to login.
Reason I have to do this is that the Network guys for CSU don't want me
to login to their KDC server, and they don't want to enter in all my
host principals. So we're trying to find a work around.
Here is what my krb5.conf file looks like:
# krb5.conf template # [libdefaults] default_realm = ENGR.COLOSTATE.EDU
[realms] ENGR.COLOSTATE.EDU = { kdc = kerberos.engr.colostate.edu admin_server = kerberos.engr.colostate.edu } COLOSTATE.EDU = { kdc = kdc1.KERBEROS.ColoState.EDU:88 admin_server = kdc1.KERBEROS.ColoState.EDU:749 default_domain = kerberos.colostate.edu }
[capaths] ENGR.COLOSTATE.EDU = { COLOSTATE.EDU = . }
You really don't need the [capaths] as the default is to walk the realms, and ENGR.COLOSTATE.EDU would be next to COLOSTATE.EDU
If you do have the [capaths] you should have both directions but that should not be a problem.
The [capaths] was added to allow not obvious paths, like XYZ.EDU to ABC.GOV
[domain_realm] .engr.colostate.edu = ENGR.COLOSTATE.EDU
Can anyone see what I'm doing wrong?
---------------------------------------------------------------------- --
---------------------------
C. J. Keist Email: [EMAIL PROTECTED] UNIX/Network Manager Phone: 970-491-0630 Engineering Network Services Fax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301
All I want is a chance to prove 'Money can't buy happiness'"
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
C. J. Keist Email: [EMAIL PROTECTED] UNIX/Network Manager Phone: 970-491-0630 Engineering Network Services Fax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301
All I want is a chance to prove 'Money can't buy happiness'"
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
