Managing Multiple Realms
Configuring Direct Trust Relationships
•The Kerberos server does not recognize the realm listed in the interrealm ticket, that is, when a proper trust relationship between the realms is not established.
•The Kerberos server does not recognize the requested service principal, and has no further trust relationships for which it returns an interrealm ticket.
To set up a
krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM
krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM
This special principal indicates a
krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM
The passwords of the corresponding principals must be the same on both the KDCs. However, the different
For example, krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM must have the same password on each KDC, but
krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM and krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM do not have to share the same password.
280 | Chapter 10 |