Hi Colm, >>>a) What information is required in the krb5.conf of the tool-dist? The capaths, realms, domain_realm sections are required, the same as the MIT Kerberos.
>>>b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM >>>realms) for the "Validate" section of the docs ( >>>https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)? To validate the user("test") within realm A.EXAMPLE.COM is trusted to access the resource("hdfs") in another realm B.EXAMPLE.COM, doing the following steps, the conf dir is "conf": 1. sh bin/kinit.sh -conf conf [email protected] We will get the credential cache( "/tmp/krb5cc_0") 2. sh bin/kinit.sh -conf conf -c /tmp/krb5cc_0 -S [email protected] Then we will get the service tgt, MIT Kerberos using "kvno" to get service tgt in this step. Thanks, Jiajia -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Friday, November 3, 2017 7:04 PM To: [email protected] Subject: Re: Kerby Update Hi Jiajia, I've been trying to get this new feature working, but unsuccessfully so far - I get an error: 2017-11-03 10:58:41 INFO{DefaultInternalKrbClient.java:82}-Send to kdc success. 2017-11-03 10:58:41 INFO{KrbHandler.java:120}-KDC server response with message: Unknown error 2017-11-03 10:58:41 INFO{KrbHandler.java:142}-Unknown error Could you clarify a few points for me please... a) What information is required in the krb5.conf of the tool-dist? b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM realms) for the "Validate" section of the docs ( https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)? It's a little unclear as to how exactly it should be used. Colm. On Mon, Oct 23, 2017 at 2:22 AM, Li, Jiajia <[email protected]> wrote: > Hi all, > > Recently we have implemented the cross-realm authentication support, > KDC in one realm can authenticate users in a different realm, so it > allows client from another realm to access the cluster. Cross-realm > authentication is accomplished by sharing a secret key between the two > realms. In both backends should have the krbtgt service principals for > realms with same passwords, key version numbers, and encryption types. > We have used this feature in Hadoop cluster, after establishing cross > realm trust between two secure Hadoop clusters with their own realms, > copying data between two secure clusters can work now. And this > support also can be used to build trust relationship with MIT Kerberos KDC > and we have tested compatibility. > > Here is the document about setting up cross realm: > https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm. > md > > Thanks, > Jiajia > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
