[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cross-realm in heimdal?

Leif Johansson <leifj@matematik.su.se> writes:

> Does it work and if so how does one go about it?

It worked the last time I tried it. :-) If you want to use simple
two-way cross realm authentication, you just add two keys (krbtgt/A@B
and krbtgt/B@A) to the databases. Both principals should have the same
key in both databases, but they don't have to have the same key (that
is krbtgt/A@B doesn't have to have the same key as krbtgt/B@A), unless
you want to support cross-realm Kerberos 4.

There is no support for hierarchical realms yet (shouldn't be do
difficult to add), but you can fake this with (possibly many) capaths,
like this:

	default_realm = C.B.A
	capath = {
		D.B.A = B.A
		E.B.A = B.A

and then just share a key with B.A.