(heimdal.info.gz) Transit policy
Info Catalog
(heimdal.info.gz) Cross realm
(heimdal.info.gz) Setting up a realm
(heimdal.info.gz) Setting up DNS
4.14 Transit policy
===================
If you want to use cross realm authentication through an intermediate
realm, it must be explicitly allowed by either the KDCs or the server
receiving the request. This is done in `krb5.conf' in the `[capaths]'
section.
When the ticket transits through a realm to another realm, the
destination realm adds its peer to the "transited-realms" field in the
ticket. The field is unordered, since there is no way to know if know
if one of the transited-realms changed the order of the list.
The syntax for `[capaths]' section:
[capaths]
CLIENT-REALM = {
SERVER-REALM = PERMITTED-CROSS-REALMS ...
}
The realm `STACKEN.KTH.SE' allows clients from `SU.SE' and `DSV.SU.SE'
to cross it. Since `STACKEN.KTH.SE' only has direct cross realm setup
with `KTH.SE', and `DSV.SU.SE' only has direct cross realm setup with
`SU.SE' they need to use both `SU.SE' and `KTH.SE' as transit realms.
[capaths]
SU.SE = {
STACKEN.KTH.SE = KTH.SE
}
DSV.SU.SE = {
STACKEN.KTH.SE = SU.SE KTH.SE
}
The order of the `PERMITTED-CROSS-REALMS' is not important when doing
transit cross realm verification.
However, the order is important when the `[capaths]' section is used to
figure out the intermediate realm to go to when doing multi-realm
transit. When figuring out the next realm, the first realm of the list
of `PERMITTED-CROSS-REALMS' is chosen. This is done in both the client
kerberos library and the KDC.
Info Catalog
(heimdal.info.gz) Cross realm
(heimdal.info.gz) Setting up a realm
(heimdal.info.gz) Setting up DNS
automatically generated byinfo2html