[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...


To obtain a cross realm ticket for service located in
another domain, a MS w2k client sends a request for
ticket in the service's short name to its KDC (a
Kerberos Realm). So, a request for service
host/service-name.foo.org will be sent as
host/service-name. Hence the KDC must look for the
correct realm of service-name. (Until this point,
please correct me if my understanding is wrong)....
How does Heimdal handle this issue of finding the
correct realm ? I understand that the issue can be
resolved by adding entries in DNS or [domain_realms]
section of krb5.conf. Well, I tried both method, and
it works...but I need to create entry for every single
server, for example:
server A is mapped to realm FOO.ORG
server B is mapped to realm BAR.ORG
etc etc....
This will be tedious !!! 
Moreover, for using DNS, I had to modify the source
code a little bit (as explained in my previous
discussion with Johan Danielsson)

I imagine that it would be better if mapping is done
from a domain name of the server to the realm instead
of from every single server in the domain to the

Pragai Robert has once mentioned in one of his email
that he has managed to make cross-realm authentication
>I've managed to authenticate via a Win2K client to a
>Heimdal realm and 
>then to a Win2K server, but I think the client asked
>for a cross-realm  TGT first from the
>HEimdal KDC and then asked the Win2K KDC to give the
>right service ticket to her.


Do you mind sharing your experience with me Robert ?
or somebody else maybe ?


La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -

Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway