On 10/25/2011 02:39 AM, Sonja Benz wrote: > Now, assume the user's password is stored in realm B.COM and the user at > host.other.com is only able to access KDC A. Is it possible to get > > host.other.com: $ kinit [email protected] > > working?
I don't believe so, for two reasons: * Cross-realm trust isn't a network communication path. KDC A and KDC B don't actually talk to each other; they just have shared keys. If host.other.com can't communicate with KDC B, it can't get tickets in realm B, whether or not it can communicate with another KDC in the trust graph. * Cross-realm trust only applies to TGS requests (obtaining a service ticket with your ticket-granting ticket). Using Kerberos as a password checker requires AS requests (getting an initial ticket). ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
