First, keep in mind that in the Kerberos world (but not the ACtive Directory world), a cross-realm key says very little about trust.
If I share a key between company A and company B, then I'm trusting that company B's KDC will accurately represent the identities of company B users. Or put another way, the company B KDC must be trusted at least as much as any user claiming to be from company B. That is a weak trust requirement. The real world example you cite is problematic, because while Kerberos and LDAP are up to the task, Solaris isn't quite and pam_krb5 definitely is not. Most Unix systems expect to find all their LDAP account information in one place and to have a single unified namespace for accounts. If your uids and usernames are unique across all companies, you can make the Solaris box happy with referals. But most instances of pam_krb5 assume they can convert a login name to a Kerberos principal simply by appending a default realm. This is not inherent; you simply need to decide what behavior you want and write code to accomplish it. --Sam ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
