Re: kinit to a kdc having a cross-realm trust

Fri, 12 Nov 2004 11:02:47 -0800 



Timo Veith wrote:

Hello kerberos subscribers,

the following question bothers a colleague of mine and me. We had a little argument about this because we need to setup something like it at work (Windows and MIT).

Is it possible to have a user who is defined in realm ONE.NET do a kinit against the KDC of realm TWO.NET where he isn't defined but the two KDCs having set up a cross-realm trust between them? 

It does not work like that.  The user authenticates in his own realm and
gets a TGT. When he want to use a server that is the other realm, the libs
use the user's TGT to get a cross realm TGT that is then used to get a
service ticket from the other realm.


If I try this in a test setup, the KDC of realm TWO.NET says

kinit(v5): Client not found in Kerberos database while getting initial credentials


As far as I understood the cross-realm mechanism, the questioned thing isn't possible, because the user of realm ONE.NET has to have a tgt of his own realm first. Only then he can get the krbtgt for realm TWO.COM.


Yes.

Little question aside: Does the user get the krbtgt for the other realm from his own KDC (ONE.NET) or does he get it from the foreign KDC (TWO.NET)? I would say from his own, but I am not sure. 

yes.


However, maybe there is some krb5.conf setting (or somewhere else) that tells the KDC of realm TWO.NET to ask the KDC of realm ONE.NET for the credentials?

TIA and kind regards, 

Also keep in mind that Kerberos does authentication. Windows uses Kerberos
and add authorization data (PAC) to the Kerberos tickets. This has group
and user information as defined by the user's realm. So if you are doing
cross realm between a Windows domain and a Kerberos realm, Windows servers
expect the PAC, unix servers don't. But there are ways around this a
PAC can be added.

Example:
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
11/12/04 08:59:53  11/12/04 18:45:45  krbtgt/[EMAIL PROTECTED]  (original TGT)
11/12/04 08:59:53  11/12/04 18:45:45  krbtgt/[EMAIL PROTECTED] (cross realm TGT)
11/12/04 12:50:31  11/12/04 18:45:45  host/[EMAIL PROTECTED] (service ticket)



Timo
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos




--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to