[32993] in Kerberos
Re: some cross-realm trust questions
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon Dec 27 11:05:30 2010
Date: Mon, 27 Dec 2010 10:04:26 -0600
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
Message-ID: <20101227160426.GF1091@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <if97mj$cv6$2@relay.tomsk.ru>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Dec 27, 2010 at 05:20:19AM +0000, Victor Sudakov wrote:
> Nicolas Williams wrote:
> > > 1. If a cross-realm trust is configured, do the realms' KDCs ever have to
> > > exchange any traffic between each other?
>
> > No, they do not.
>
> That's great, but at least at the initialization stage, how is a
> shared key for the corresponding krbtgt principals transferred between
> the two KDCs?
>
> The Windows "New Trust" wizard just asks for a password and never
> offers to export a keytab or anything.
True, but this is a step that must be executed locally on each realm
(with the same exact password). There's no standard protocol to help
realms agree on shared x-realm keys, not yet anyways.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
