Managing Multiple Realms

Hierarchical Interrealm Trust

For interrealm authentication in the other direction, two-way hierarchical interrealm authentication, you must also add these principals:

krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM allows the server in

FINANCE.JUNGLE.COM to accept tickets from BAMBI.COM.

krbtgt/BAMBI.COM@IT.JUNGLE.COM allows the server in BAMBI.COM to accept tickets from IT.JUNGLE.COM.

 

 

Configuring the Local Realm

 

 

To configure the local realm, consider the local realm as

 

 

FINANCE.JUNGLE.COM and the intermediate realm as BAMBI.COM and

 

 

complete the following steps in the FINANCE.JUNGLE.COM realm:

Step

1.

Use the Kerberos administrative utility, HP Kerberos Administrator, in

 

 

the FINANCE.JUNGLE.COM realm, and add the

 

 

krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM principal, which allows users

 

 

in the FINANCE.JUNGLE.COM realm to authenticate with the server in the

 

 

BAMBI.COM realm.

 

 

Enable the following settings for this principal:

 

 

• Select all the Allow attributes.

 

 

• Clear all the Require attributes.

 

 

• Provide a password rather than a random key and remember the

 

 

password.

 

 

• Record the primary key type and salt type.

 

 

• Record the password key version number.

Step

2. If the FINANCE.JUNGLE.COM realm also trusts the BAMBI.COM realm, add

 

 

the krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM principal, which allows

 

 

users in the BAMBI.COM realm to authenticate to the services in the

 

 

FINANCE.JUNGLE.COM realm.

Step

3.

Enable the same settings for this principal as for the interrealm

 

 

principal, krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM, as mentioned in

 

 

step 1 in the procedure for configuring the intermediate realm.

284

Chapter 10

Page 284
Image 284
HP UX Kerberos Data Security Software manual Configuring the Local Realm