[14546] in Kerberos
Re: One way Cross-Realm Authentication
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Thu Jun 7 20:26:19 2001
Message-Id: <200106080023.f580NIo21465@ginger.cmf.nrl.navy.mil>
To: John Rudd <jrudd@cats.ucsc.edu>
cc: kerberos@MIT.EDU
In-reply-to: Your message of "Thu, 07 Jun 2001 16:19:48 PDT."
<3B200C14.189C5401@cats.ucsc.edu>
Date: Thu, 07 Jun 2001 20:23:15 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>So, the goal is that machines attached to and administrated by any
>random THEM.UCSC.EDU realm can have users authenticated against
>US.UCSC.EDU, and not visa versa.
>
>Can I accomplish that by deleting one of the above principles? If so,
>which one? I'm guessing it'd be the first one, but I'm not sure.
You want to delete krbtgt/US.UCSC.EDU@THEM.UCSC.EDU.
It's easy to figure this out, actually. Just use a cross-realm service
that goes from your realm to the foreign realm, and do "klist" to see
what krbtgt principal you get as part of cross-realm. Then delete the
other one.
--Ken
