Managing Multiple Realms
Hierarchical Interrealm Trust
For interrealm authentication in the other direction,
•krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM allows the server in
FINANCE.JUNGLE.COM to accept tickets from BAMBI.COM.
•krbtgt/BAMBI.COM@IT.JUNGLE.COM allows the server in BAMBI.COM to accept tickets from IT.JUNGLE.COM.
|
| Configuring the Local Realm |
|
| To configure the local realm, consider the local realm as |
|
| FINANCE.JUNGLE.COM and the intermediate realm as BAMBI.COM and |
|
| complete the following steps in the FINANCE.JUNGLE.COM realm: |
Step | 1. | Use the Kerberos administrative utility, HP Kerberos Administrator, in |
|
| the FINANCE.JUNGLE.COM realm, and add the |
|
| krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM principal, which allows users |
|
| in the FINANCE.JUNGLE.COM realm to authenticate with the server in the |
|
| BAMBI.COM realm. |
|
| Enable the following settings for this principal: |
|
| • Select all the Allow attributes. |
|
| • Clear all the Require attributes. |
|
| • Provide a password rather than a random key and remember the |
|
| password. |
|
| • Record the primary key type and salt type. |
|
| • Record the password key version number. |
Step | 2. If the FINANCE.JUNGLE.COM realm also trusts the BAMBI.COM realm, add | |
|
| the krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM principal, which allows |
|
| users in the BAMBI.COM realm to authenticate to the services in the |
|
| FINANCE.JUNGLE.COM realm. |
Step | 3. | Enable the same settings for this principal as for the interrealm |
|
| principal, krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM, as mentioned in |
|
| step 1 in the procedure for configuring the intermediate realm. |
284 | Chapter 10 |