[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cross realm authentication details

---- Original message ----
>Date: Sun, 30 Apr 2006 18:20:51 -0400
>From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>  
>Subject: Re: cross realm authentication details  
>To: dick@uchicago.edu
>Cc: heimdal-discuss@sics.se
>On Apr 30, 2006, at 5:31 , Jacob Yocom-Piatt wrote:
>> i have tried doing this by adding 2 principals, krbtgt/REALM. 
>> 1@REALM.2 and
>> krbtgt/REALM.2@REALM.1, to my KDC via the kadmin interface using
>> add --random-key krbtgt/REALM.1@REALM.2
>> add --random-key krbtgt/REALM.2@REALM.1
>I don't think that's going to work:  the principals need to have the  
>same key, whereas --random-key will generate a distinct (hopefully)  
>random key for each one.


this was the part i was confused about from the heimdal docs. i was to
understand that these principals had distinct keys and that these two principals
had to have the same keys on two separate servers, if you had a separate KDC for
REALM.1 and REALM.2.

it seems that this is also the manner in which it's interpreted in
http://www.zeroshell.net/eng/kerberos/#1.6 , i.e. each of these prinicipals has
its own key and those keys match across KDCs.

if these two principals do need the same key, what command do i issue to copy
the key? could the ticket life parameters be responsible for what i'm seeing? i

         Max ticket life: 1 day
      Max renewable life: 1 week

for the cross realm TGTs and

         Max ticket life: unlimited
      Max renewable life: unlimited

for the intra realm TGTs.