If I understand your message here, then Kerberos right now is not capable of handling this setup. In that a master realm that holds just user principals, with sub realms holding host principals cannot authenticate a user logging into a client machine in one of the sub realms?


On Monday, August 18, 2003, at 11:51 AM, Douglas E. Engert wrote:




CJ Keist wrote:

Hello,
Reading the docs on cross realm authentication is making me go
crossed eyed ;). I'll try my best to explain what it is I'm wanting to
do with cross realm authentication.
We have two realms 1) COLOSTATE.EDU and 2) ENGR.COLOSTATE.EDU (my
realm). The top realm is going to house just user principals with
passwords, and my realm will house just my host principals. So what I
want to happen is when a user tries to login to one of my workstations
it will go to my KDC,

The user should login as [EMAIL PROTECTED], then the client will
contact the COLORADO.EDU realm directly. Later when trying to get
a host ticket the lib will get the crossrealm TGT then the service ticket.


In this case wouldn't the COLORADO.EDU KDC have to have the client machine host principal?

my KDC will say I don't know this user so will
pass it on to COLOSTATE.EDU KDC server.

This would be a referral, which W2K supports, but not nessesarily any other the Kerberos code yet.

The COLOSTATE.EDU KDC will say
yes I know this user and then pass the authentication on down to my KDC

It would return a krbtgt/[EMAIL PROTECTED]


Then later the client would use the above tgt to get a tgt for:

krbtgt/[EMAIL PROTECTED]

Then use this to get the :

host/[EMAIL PROTECTED]

and then on to the client so the user will be able to login.
Reason I have to do this is that the Network guys for CSU don't want me
to login to their KDC server, and they don't want to enter in all my
host principals. So we're trying to find a work around.


Here is what my krb5.conf file looks like:

# krb5.conf template
#
[libdefaults]
         default_realm = ENGR.COLOSTATE.EDU

[realms]
         ENGR.COLOSTATE.EDU = {
                 kdc = kerberos.engr.colostate.edu
                 admin_server = kerberos.engr.colostate.edu
         }
         COLOSTATE.EDU = {
                 kdc = kdc1.KERBEROS.ColoState.EDU:88
                 admin_server = kdc1.KERBEROS.ColoState.EDU:749
                 default_domain = kerberos.colostate.edu
         }

[capaths]
         ENGR.COLOSTATE.EDU = {
                 COLOSTATE.EDU = .
         }


You really don't need the [capaths] as the default is to walk the
realms, and  ENGR.COLOSTATE.EDU would be next to COLOSTATE.EDU

If you do have the [capaths] you should have both directions but
that should not be a problem.

The [capaths] was added to allow not obvious paths, like
  XYZ.EDU to ABC.GOV


[domain_realm] .engr.colostate.edu = ENGR.COLOSTATE.EDU

Can anyone see what I'm doing wrong?

---------------------------------------------------------------------- --
---------------------------


C. J. Keist                     Email: [EMAIL PROTECTED]
UNIX/Network Manager            Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'"

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

--


 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

------------------------------------------------------------------------ ---------------------------

C. J. Keist                     Email: [EMAIL PROTECTED]
UNIX/Network Manager            Phone: 970-491-0630
Engineering Network Services    Fax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'"

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to