Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

System Administration Guide: Security Services
Previous Next

Configuring Cross-Realm Authentication

You have several ways of linking realms together so that users in one realm can be authenticated in another realm. Cross-realm authentication is accomplished by establishing a secret key that is shared between the two realms. The relationship of the realms can be either hierarchal or directional (see Realm Hierarchy).

How to Establish Hierarchical Cross-Realm Authentication

The example in this procedure uses two realms, ENG.EAST.EXAMPLE.COM and EAST.EXAMPLE.COM. Cross-realm authentication will be established in both directions. This procedure must be completed on the master KDC in both realms.

Before You Begin

The master KDC for each realm must be configured. To fully test the authentication process, several Kerberos clients must be configured.

  1. Become superuser on the first master KDC.
  2. Create ticket-granting ticket service principals for the two realms.

    You must log in with one of the admin principal names that was created when you configured the master KDC.

    # /usr/sbin/kadmin -p kws/admin
    Enter password: <Type kws/admin password>
    kadmin: addprinc krbtgt/[email protected]
    Enter password for principal krgtgt/[email protected]: <Type password>
    kadmin: addprinc krbtgt/[email protected]
    Enter password for principal krgtgt/[email protected]: <Type password>
    kadmin: quit

    Note - The password that is specified for each service principal must be identical in both KDCs. Thus, the password for the service principal krbtgt/[email protected] must be the same in both realms.


  3. Add entries to the Kerberos configuration file (krb5.conf) to define domain names for every realm.
    # cat /etc/krb5/krb5.conf
    [libdefaults]
     .
     .
    [domain_realm]
            .eng.east.example.com = ENG.EAST.EXAMPLE.COM
            .east.example.com = EAST.EXAMPLE.COM

    In this example, domain names for the ENG.EAST.EXAMPLE.COM and EAST.EXAMPLE.COM realms are defined. It is important to include the subdomain first, because the file is searched top down.

  4. Copy the Kerberos configuration file to all clients in this realm.

    For cross-realm authentication to work, all systems (including slave KDCs and other servers) must have the new version of the Kerberos configuration file (/etc/krb5/krb5.conf) installed.

  5. Repeat all of these steps in the second realm.

How to Establish Direct Cross-Realm Authentication

The example in this procedure uses two realms, ENG.EAST.EXAMPLE.COM and SALES.WEST.EXAMPLE.COM. Cross-realm authentication will be established in both directions. This procedure must be completed on the master KDC in both realms.

Before You Begin

The master KDC for each realm must be configured. To fully test the authentication process, several Kerberos clients must be configured.

  1. Become superuser on one of the master KDC servers.
  2. Create ticket-granting ticket service principals for the two realms.

    You must log in with one of the admin principal names that was created when you configured the master KDC.

    # /usr/sbin/kadmin -p kws/admin
    Enter password: <Type kws/admin password>
    kadmin: addprinc krbtgt/[email protected]
    Enter password for principal 
      krgtgt/[email protected]: <Type the password>
    kadmin: addprinc krbtgt/[email protected]
    Enter password for principal 
      krgtgt/[email protected]: <Type the password>
    kadmin: quit

    Note - The password that is specified for each service principal must be identical in both KDCs. Thus, the password for the service principal krbtgt/[email protected] must be the same in both realms.


  3. Add entries in the Kerberos configuration file to define the direct path to the remote realm.

    This example shows the clients in the ENG.EAST.EXAMPLE.COM realm. You would need to swap the realm names to get the appropriate definitions in the SALES.WEST.EXAMPLE.COM realm.

    # cat /etc/krb5/krb5.conf
    [libdefaults]
     .
     .
    [capaths]
        ENG.EAST.EXAMPLE.COM = {
            SALES.WEST.EXAMPLE.COM = .
        }
    
        SALES.WEST.EXAMPLE.COM = {
             ENG.EAST.EXAMPLE.COM = .
        }
  4. Copy the Kerberos configuration file to all clients in the current realm.

    For cross-realm authentication to work, all systems (including slave KDCs and other servers) must have the new version of the Kerberos configuration file (/etc/krb5/krb5.conf) installed.

  5. Repeat all of these steps for the second realm.
Previous Next

 
 
  Published under the terms fo the Public Documentation License Version 1.01. Design by Interspire