Managing Multiple Realms

Configuring Direct Trust Relationships

The Kerberos server does not recognize the realm listed in the interrealm ticket, that is, when a proper trust relationship between the realms is not established.

The Kerberos server does not recognize the requested service principal, and has no further trust relationships for which it returns an interrealm ticket.

To set up a cross-realm authentication between the two realms ADMIN.BAMBI.COM and IT.BAMBI.COM, you need to create two special principals on each Key Distribution Center (KDC), as shown in the following example:

krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM

krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM

This special principal indicates a two-way trust relationship. If you want to configure only a one-way trust relationship, you need to create the following special principal:

krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM

The passwords of the corresponding principals must be the same on both the KDCs. However, the different cross-realm principals do not have to have matching passwords.

For example, krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM must have the same password on each KDC, but

krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM and krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM do not have to share the same password.

280

Chapter 10

Page 280
Image 280
HP UX Kerberos Data Security Software manual 280