[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cross realm authentication details
---- Original message ----
>Date: Sun, 30 Apr 2006 18:20:51 -0400
>From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
>Subject: Re: cross realm authentication details
>To: dick@uchicago.edu
>Cc: heimdal-discuss@sics.se
>
>
>On Apr 30, 2006, at 5:31 , Jacob Yocom-Piatt wrote:
>
>> i have tried doing this by adding 2 principals, krbtgt/REALM.
>> 1@REALM.2 and
>> krbtgt/REALM.2@REALM.1, to my KDC via the kadmin interface using
>>
>> add --random-key krbtgt/REALM.1@REALM.2
>> add --random-key krbtgt/REALM.2@REALM.1
>
>I don't think that's going to work: the principals need to have the
>same key, whereas --random-key will generate a distinct (hopefully)
>random key for each one.
>
brandon,
this was the part i was confused about from the heimdal docs. i was to
understand that these principals had distinct keys and that these two principals
had to have the same keys on two separate servers, if you had a separate KDC for
REALM.1 and REALM.2.
it seems that this is also the manner in which it's interpreted in
http://www.zeroshell.net/eng/kerberos/#1.6 , i.e. each of these prinicipals has
its own key and those keys match across KDCs.
if these two principals do need the same key, what command do i issue to copy
the key? could the ticket life parameters be responsible for what i'm seeing? i
have
Max ticket life: 1 day
Max renewable life: 1 week
for the cross realm TGTs and
Max ticket life: unlimited
Max renewable life: unlimited
for the intra realm TGTs.
cheers,
jake