Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

How to Establish Hierarchical Cross-Realm Authentication

The example in this procedure establishes cross-realm authentication between CORP.EAST.EXAMPLE.COM and EAST.EXAMPLE.COM in both directions. This procedure must be performed on the master KDC in both realms.

Before You Begin

The master KDC for each realm is configured. To fully test the authentication process, you need several clients.

You must assume the root role on both KDC servers. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Create ticket-granting ticket service principals for the two realms.

    You must log in with one of the admin principal names that was created when you configured the master KDC.

    # /usr/sbin/kadmin -p kws/admin
    Enter password: xxxxxxxx
    kadmin: addprinc krbtgt/CORP.EAST.EXAMPLE.COM@EAST.EXAMPLE.COM
    Enter password for principal krbtgt/CORP.EAST.EXAMPLE.COM@EAST.EXAMPLE.COM:/** Type strong password **/
    kadmin: addprinc krbtgt/EAST.EXAMPLE.COM@CORP.EAST.EXAMPLE.COM
    Enter password for principal krbtgt/EAST.EXAMPLE.COM@CORP.EAST.EXAMPLE.COM:/** Type strong password **/
    kadmin: quit

    Note -  Save and store these passwords in a safe location.
  2. Add entries to the Kerberos configuration file to define domain names for every realm.
    # pfedit /etc/krb5/krb5.conf

    In this example, domain names for the CORP.EAST.EXAMPLE.COM and EAST.EXAMPLE.COM realms are defined. The subdomain must precede the domain name in the file, because the file is searched top down.

  3. Copy the Kerberos configuration file to all clients in this realm.

    For cross-realm authentication to work, all systems (including slave KDCs and other servers) must use the master KDC's version of /etc/krb5/krb5.conf.

  4. Repeat this procedure in the second realm.

    Note -  The password that is specified for each service principal must be identical in both KDCs. Thus, the password for the service principal krbtgt/CORP.EAST.EXAMPLE.COM@EAST.EXAMPLE.COM must be the same in both realms.