Hello kerberos subscribers,
the following question bothers a colleague of mine and me. We had a little argument about this because we need to setup something like it at work (Windows and MIT).
Is it possible to have a user who is defined in realm ONE.NET do a kinit against the KDC of realm TWO.NET where he isn't defined but the two KDCs having set up a cross-realm trust between them?
If I try this in a test setup, the KDC of realm TWO.NET says
kinit(v5): Client not found in Kerberos database while getting initial credentials
As far as I understood the cross-realm mechanism, the questioned thing isn't possible, because the user of realm ONE.NET has to have a tgt of his own realm first. Only then he can get the krbtgt for realm TWO.COM.
Little question aside: Does the user get the krbtgt for the other realm from his own KDC (ONE.NET) or does he get it from the foreign KDC (TWO.NET)? I would say from his own, but I am not sure.
However, maybe there is some krb5.conf setting (or somewhere else) that tells the KDC of realm TWO.NET to ask the KDC of realm ONE.NET for the credentials?
TIA and kind regards,
Timo ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
