The example in this procedure establishes cross-realm authentication between CORP.EAST.EXAMPLE.COM and EAST.EXAMPLE.COM in both directions. This procedure must be performed on the master KDC in both realms.
Before You Begin
The master KDC for each realm is configured. To fully test the authentication process, you need several clients.
You must assume the root role on both KDC servers. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
You must log in with one of the admin principal names that was created when you configured the master KDC.
# /usr/sbin/kadmin -p kws/admin Enter password: xxxxxxxx kadmin: addprinc krbtgt/CORP.EAST.EXAMPLE.COM@EAST.EXAMPLE.COM Enter password for principal krbtgt/CORP.EAST.EXAMPLE.COM@EAST.EXAMPLE.COM:/** Type strong password **/ kadmin: addprinc krbtgt/EAST.EXAMPLE.COM@CORP.EAST.EXAMPLE.COM Enter password for principal krbtgt/EAST.EXAMPLE.COM@CORP.EAST.EXAMPLE.COM:/** Type strong password **/ kadmin: quit
# pfedit /etc/krb5/krb5.conf [libdefaults] . . [domain_realm] .corp.east.example.com = CORP.EAST.EXAMPLE.COM .east.example.com = EAST.EXAMPLE.COM
In this example, domain names for the CORP.EAST.EXAMPLE.COM and EAST.EXAMPLE.COM realms are defined. The subdomain must precede the domain name in the file, because the file is searched top down.
For cross-realm authentication to work, all systems (including slave KDCs and other servers) must use the master KDC's version of /etc/krb5/krb5.conf.