Question: want different default_realm for service and user principles
Dirk Pape
pape at
Thu Aug 12 02:37:54 EDT 2004
I want to do the following with two kerberos realms which trust each
first realm "FOO.ORG" holds only user principles, it is based on a
Windows 2003 Server AD.
second realm "BAR.FOO.ORG" hold service principles for unix services,
such as "host/domain at BAR.FOO.ORG" for all unix hosts running ssh.
We want to hold these principals in a MIT-kerb. based KDC, because we
like to use the well known and well documented kadmin tool to remotely
create service principles in that domain.
As I understand it will be possible to authenticate as "user at FOO.ORG" to
a service running with a keytab for a service principle
"service/domain at BAR.FOO.ORG" if both realms trust each other.
First question: is this correct and a reasonable scenario? (we could not
yet test it because we did not yet set up the BAR.FOO.ORG domain).
If this works and is a reasonable approach, then we see the following
problem from our tests.
let the [libdefaults] section in /etc/krb5.conf on the unix host running
the kerberized ssh service contain "default_realm = BAR.FOO.ORG", then
obtaining user tgts on login (via pam) or by "kinit user" on this host
will fail, because it will try to get it from realm BAR.FOO.ORG.
on the other hand, if "default_realm = FOO.ORG" the ssh service and
other service would not find the correct keytab entry because they look
for "service/domain at FOO.ORG" instead of "service/domain at BAR.FOO.ORG".
For what I see, I need to specify somehow that SPNs and user PNs come
from different realms in default.
Is this doable with some configuraton options on the unix host? (I
already tried many things with the sections [domain_realm] and
[appdefaults] but I could ot find a way)
I would appreciate every hint.
The other approach for our problem would be to find or implement an RPC
on the windows server running AD, which like kadmin/kadmind enables
admins to create SPNs remotely and transfer keytab securely to the
service host.
last question: does anybody know such a daemon for windows 2003 server?
Dr. Dirk Pape (Leiter des Rechnerbetriebs)
FB Mathematik und Informatik der FU-Berlin
Takustr. 9, 14195 Berlin
Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190
More information about the Kerberos
mailing list