i've got a single kerberos server for 2 realms with most of the configuration i want. there are a few things i still need clarification on:
(1) cross-realm authentication; this is discussed in the info page for heimdal where the following is printed: "For a two way trust between MY.REALM and OTHER.REALM add the following principals to each realm. The principals should be krbtgt/[EMAIL PROTECTED] and krbtgt/[EMAIL PROTECTED] in MY.REALM, and krbtgt/[EMAIL PROTECTED] and krbtgt/[EMAIL PROTECTED] OTHER.REALM. In Kerberos 5 the trust can be configured to be one way. So that users from MY.REALM can authenticate to services in OTHER.REALM, but not the opposite. In the example above, the krbtgt/[EMAIL PROTECTED] then should be removed. The two principals must have the same key, key version number, and the same set of encryption types. Remember to transfer the two keys in a safe manner." i have added these two principals with random keys, krbtgt/[EMAIL PROTECTED] and krbtgt/[EMAIL PROTECTED] this doesn't work, giving me: 2006-04-30T00:35:06 Bad request for forwardable ticket when i try to ssh to host1.realm.2 with [EMAIL PROTECTED] credentials. i get similar messages when i have only one of these two principals specified. i don't see how the two krbtgt principals can be made to have the same key. (2) sudo using kerberos i would like to have something similar to sudo access that is logged on my kerberos server. i have little idea how this works or if it is a good idea or not. any pointers on either of these topics would be great. cheers, jake
