test

Sun Enterprise Authentication Mechanism Guide

How to Establish Direct Cross-Realm Authentication

This example uses two realms: ENG.EAST.ACME.COM and SALES.WEST.ACME.COM. Cross-realm authentication will be established in both directions. This procedure must be completed on the master KDC in both realms.

  1. Prerequisites for establishing direct cross-realm authentication.

    This procedure requires that the master KDC for each realm has been configured. To fully test the process, several clients or slave KDCs must be installed.

  2. Become superuser on one of the master KDC servers.

  3. Create ticket-granting ticket service principals for the two realms using kadmin.

    You must log on with one of the admin principal names that was created when configuring the master KDC.


    # /usr/krb5/sbin/kadmin -p kws/admin
Enter password: <Enter kws/admin password>
kadmin: addprinc krbtgt/ENG.EAST.ACME.COM@SALES.WEST.ACME.COM
Enter password for principal 
  krgtgt/ENG.EAST.ACME.COM@SALES.WEST.ACME.COM: <type the password>
kadmin: addprinc krbtgt/SALES.WEST.ACME.COM@ENG.EAST.ACME.COM
Enter password for principal 
  krgtgt/SALES.WEST.ACME.COM@ENG.EAST.ACME.COM: <type the password>
kadmin: quit
    Note -

    The password entered for each service principal must be identical in both KDCs; which means that the password for krbtgt/ENG.EAST.ACME.COM@SALES.WEST.ACME.COM must be the same in both realms.

  4. Add entries in the Kerberos configuration file to define the direct path to the remote realm (kdc.conf).

    This example is for the clients in the ENG.EAST.ACME.COM realm. You would swap the realm names to get the appropriate definitions in the SALES.WEST.ACME.COM realm.


    # cat /etc/krb5/krb5.conf
[libdefaults]
 .
 .
[capaths]
    ENG.EAST.ACME.COM = {
        SALES.WEST.ACME.COM = .
    }

    SALES.WEST.ACME.COM = {
         ENG.EAST.ACME.COM = .
    }

  5. Copy the Kerberos configuration file to all clients in the current realm.

    In order for the cross-realm authentication to work, all systems (including slave KDCs and other servers) must have the new version of the Kerberos configuration file (krb5.conf) installed.

  6. Repeat these steps for the second realm.