Derek Harkness wrote: > > I've read a bit about cross-realm authentication and even kind of have > it working but not quite the way I want. So my question is. Is what I > want possible. > > I currently have two realms ITS and UMD I want all my users to be in > UMD and all my servers and services in ITS. In the setup I currently > have if I log into UMD and then use a kerberized telnet to server1 in > ITS I get the proper tickets but get authorization denied unless I have > a .k5login in my home directory. This isn't what I want.
Sounds almost like what we have. All the users are in, a Windows AD, and most of the unix boxes are in MIT KDC based realm. We have a local mod to the krb5 libs that will accept users from either realm if they don't have a .k5login file. (If they do have a .k5login, then that is used.) Sounds like we could use Sam's patch for bug #957 in the next release. > > I want [EMAIL PROTECTED] to be able to access anything in the ITS realm. But > [EMAIL PROTECTED] should not be able access anything UMD. The reason for this > is UMD is currently outside my control and I simply want to use it for > authentication. I want a one way trust basically. But note that if UMD adds a user, and you happen to have a local user on your machine with the samename, thier user will be able to access your local account. So you should be using some registry like Uniqname which I assume you are, as Uniqname came out if UMich. > > Thanks, > Derek > > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Name: PGP.sig > PGP.sig Type: application/pgp-signature > Encoding: 7bit > Description: This is a digitally signed message part > > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
