Issue with KDC - Kerberos

This is a discussion on Issue with KDC - Kerberos ; Hello, This is Sunil here, i am working on the cross domain authentication using kerberos, i have two domains(xx.com) and(co.yy), and i am in a dilemma as to install 2KDC in both the domains or is it sufficient for the ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Issue with KDC

  1. Issue with KDC


    Hello,
    This is Sunil here, i am working on the cross domain authentication using
    kerberos, i have
    two domains(xx.com) and(co.yy), and i am in a dilemma as to install 2KDC in
    both the domains or is it sufficient for the kdc to be installed in only one
    single domain, and register the other domain as just the user of the domain
    in which the kdc is installed.Also I’d like to avoid cross realms
    scenario,because we should set up another KDC.(thats bit difficult)is there
    any other possibilities of using two domain for kerberos without having KDC
    on both the domains please do clear my doubt. Looking for an answer


    --
    View this message in context: http://www.nabble.com/Issue-with-KDC...p14370277.html
    Sent from the Kerberos - General mailing list archive at Nabble.com.



  2. Re: Issue with KDC

    In article ,
    sunilcnair wrote:

    > This is Sunil here, i am working on the cross domain authentication using
    > kerberos, i have
    > two domains(xx.com) and(co.yy), and i am in a dilemma as to install 2KDC in
    > both the domains or is it sufficient for the kdc to be installed in only one
    > single domain, and register the other domain as just the user of the domain
    > in which the kdc is installed.Also I’d like to avoid cross realms
    > scenario,because we should set up another KDC.(thats bit difficult)is there
    > any other possibilities of using two domain for kerberos without having KDC
    > on both the domains please do clear my doubt. Looking for an answer


    Kerberos is basically indifferent to DNS domains, and
    one Kerberos "realm" can certainly serve many DNS domains.
    Application software may rely on DNS for realm information,
    though - configuration files may specify realm/domain maps,
    and Kerberos realm information can be published in special
    DNS SRV and TXT records. If you have tried this and were
    not able to make it work, check that the [domain_realm]
    section of your configuration file includes the new domain.

    Donn Cave, donn@u.washington.edu

  3. request a keytab from KDC in other domain



    hello all,

    i am Sunil C. i have a domain named xx.com which has a KDC.
    i also have a domain co.yy where my server is. there is no KDC in it.

    users are in xx.com domain.

    but my servers are in (co.yy) domain.

    i had set up a test scenario with a user and a server in domain (xx.com)
    since KDc was setup i got ticket and was able to authenticate well using
    kerberos.

    my issue is that all my production servers are in domain (co.yy) which
    doesnt have a KDC. i want to authenticate and use the server services in
    that domain.
    setting up KDC is not feasible in both domains for me.

    now i have done some configuration in krb5.conf file on my server
    (test.co.yy)

    [domain_realm]
    xx.com = XX.COM
    ..xx.com = XX.COM
    co.yy = XX.COM
    ..co.yy = XX.COM

    this shows that my domain co.yy which doesnnot have a KDC , i have mapped it
    to the realm XX.COM .

    now i have some issues.

    1) how can i get a keytab from the KDC of XX.COM ( my server in co.yy)
    is this command correct ?
    > ktpass -princ HTTP/test.co.yy@XX.COM


    2) can i get a keytab with that command

    3) i have heard of CNAME.
    can i create a CNAME for my server like denver.xx.com CNAME test.co.yy ?

    if thats possible i can request a keytab like this
    > ktpass -princ HTTP/denver.xx.com@XX.COM


    then will it relate to the real host name> test.co.yy

    please help me with my questions .





    --
    View this message in context: http://www.nabble.com/Issue-with-KDC...p14714285.html
    Sent from the Kerberos - General mailing list archive at Nabble.com.


+ Reply to Thread