Adam Megacz wrote:
> I've found that when doing cross-realm trust between two AFS cells
> (both in MIT KDC realms), the foreign-realm principal trying to
> acquire tokens in the local realm must have REQUIRES_PRE_AUTH as an
> attribute in his/her realm in order for aklog to work.
>
> Is this to be expected, or is it a side effect of some mistake I made?
>
> If this is the case ("cross-realm only works when REQUIRES_PRE_AUTH is
> enabled") I can arrange for that attribute to be turned on for all the
> necessary users. I just wanted to see if it was necessary before
> asking for this to be done, and perhaps understand why it is necessary.I don't know if it is required but not requiring pre-auth is a poor security practice. It means that anyone can ask for a Kerberos TGT for any principal in your REALM. Then the TGT can be brute forced off-line in order to obtain the password. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
