Cross-realm Authentication
In order for a KDC in one realm to authenticate Kerberos users in a
different realm, it must share a key with the KDC in the other realm.
In both databases, there must be krbtgt service principals for realms.
These principals should all have the same passwords, key version
numbers, and encryption types. For example, if the administrators of
ATHENA.MIT.EDU and EXAMPLE.COM wanted to authenticate
across the realms, they would run the following commands on the KDCs in
both realms:
shell%: kadmin.local -e "des3-hmac-sha1:normal des-cbc-crc:v4"
kadmin: add_princ -requires_preauth krbtgt/[email protected]
Enter password for principal krbtgt/[email protected]:
Re-enter password for principal krbtgt/[email protected]:
kadmin: add_princ -requires_preauth krbtgt/[email protected]
Enter password for principal krbtgt/[email protected]:
Enter password for principal krbtgt/[email protected]:
kadmin:
Even if most principals in a realm are generally created with the
requires_preauth flag enabled, this flag is not desirable on
cross-realm authentication keys because doing so makes it impossible to
disable preauthentication on a service-by-service basis. Disabling it
as in the example above is recommended.
It is also very important that these principals have good passwords.
MIT recommends that TGT principal passwords be at least 26
characters of random ASCII text.