Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

How to Establish Direct Cross-Realm Authentication

The example in this procedure uses two realms, CORP.EAST.EXAMPLE.COM and SALES.WEST.EXAMPLE.COM. Cross-realm authentication will be established in both directions. This procedure must be completed on the master KDC in both realms.

Before You Begin

The master KDC for each realm is configured. To fully test the authentication process, you need several clients.

You must assume the root role on both KDC servers. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Create ticket-granting ticket service principals for the two realms.

    You must log in with one of the admin principal names that was created when you configured the master KDC.

    # /usr/sbin/kadmin -p kws/admin
    Enter password: xxxxxxxx
    Enter password for principal
    krbtgt/CORP.EAST.EXAMPLE.COM@SALES.WEST.EXAMPLE.COM:/** Type strong password **/
    Enter password for principal
    krbtgt/SALES.WEST.EXAMPLE.COM@CORP.EAST.EXAMPLE.COM:/** Type strong password **/
    kadmin: quit
  2. Add entries in the Kerberos configuration file to define the direct path to the remote realm.

    This example shows the clients in the CORP.EAST.EXAMPLE.COM realm. To add the appropriate definitions in the SALES.WEST.EXAMPLE.COM realm, swap the realm names.

    # pfedit /etc/krb5/krb5.conf
  3. Copy the Kerberos configuration file to all clients in the current realm.

    For cross-realm authentication to work, all systems (including slave KDCs and other servers) must use the new version of the Kerberos configuration file, /etc/krb5/krb5.conf.

  4. Repeat this procedure for the second realm.