Does anyone have pointers to comprehensive documentation of how to make cross-realm authentication work?
I have three Kerberos realms, all running MIT KDCs, which we'll call ONE.NET, TWO.NET, and FOO.TWO.NET. If I grab a TGT for a principal in realm FOO.TWO.NET, I can acquire tickets for services in the TWO.NET realm. If I grab a TGT for a principal in the TWO.NET realm, I can acquire tickets for services in the ONE.NET realm. The problem is that I can't use a TGT from FOO.TWO.NET to get a service ticket from ONE.NET. Looking at the logs for the ONE.NET KDC, I see these error messages: bad realm transit path from '[EMAIL PROTECTED]' to '[EMAIL PROTECTED]' via 'TWO.NET' TGS_REQ (3 etypes {16 1 3}) 64.22.202.18(88): BAD_TRANSIT: authtime 1011926513, [EMAIL PROTECTED] for [EMAIL PROTECTED], KDC policy rejects request I'm sure there must be a simple answer to this problem, but I haven't been able to find it yet in my search through the MIT documentation and on the web. Thanks, Steve Langasek postmodern programmer