 |
» |
|
|
|
You need to use hierarchical interrealm authentication when
a realm does not have a direct path to its destination realm, but
has a path to an intermediate realm. Hierarchical
Chain of Trust | |
Interrealm trust can be transitive, for example, if
realm A trusts B and B trusts C, then a client in A can get a ticket from C by following the trust path from A to B to C. For example, consider realm 1 as X.Y.A , realm 2 as X.Y.C, and realm 3 as X.Y.B with the following direct trust relationships
established between them. Realm
X.Y.A has a direct trust link to realm X.Y.B. Realm X.Y.B has a direct trust link to realm X.Y.C.
In such a configuration, the client walks the realm tree from
node X.Y.A to X.Y.C by requesting an interrealm TGT from each intermediate
realm (in this example, X.Y.B), until it obtains the service ticket from X.Y.C. Although creating such hierarchical trusts is more efficient
than attempting to configure each server with knowledge of all possible interrealm
trust relationships, the client must still perform the realm tree
computation, map each realm to a security server host name, and request
an interrealm TGT from each realm in the path. In addition, the Kerberos protocol requires the client to
know the exact realm of each service it needs to authenticate to.
In the previous example, the client in X.Y.A must know that the service it wants to access
belongs to realm X.Y.C. Assume that a client in the realm RED.BLUE.COM needs to authenticate to a service located in
the realm GREEN.YELLOW.COM, but realm RED.BLUE.COM does not have a direct trust relationship established
with the realm GREEN.YELLOW.COM. Now, VIBGYOR.INDIGO.COM has a direct trust relationship established with
both RED.BLUE.COM and GREEN.YELLOW.COM. Hence, RED.BLUE.COM can obtain an interrealm ticket through the intermediate
realm, VIBGYOR.INDIGO.COM. The client in RED.BLUE.COM requests an interrealm ticket from VIBGYOR.INDIGO.COM, and can use this interrealm ticket to contact GREEN.YELLOW.COM for a ticket to use a service in its realm. Hierarchical
Interrealm Configuration | |
To configure realms to perform hierarchical interrealm authentication, complete
the following steps in the local realm, intermediate realm, and target
realm: Add an interrealm
principal (krbtgt/REALM2@REALM1) to the principal database to allow the local realm
to authenticate with the intermediate realm and the intermediate
realm to authenticate with another intermediate or the target realm. Add a second interrealm principal
(krbtgt/REALM1@REALM2) to the database if you also want the intermediate
or target realm to authenticate two-way with the local realm or
another intermediate realm.
These actions are described in detail in the following sections.
The example configuration in this section uses the interrealm authentication principals
shown in Figure 10-1 “Hierarchical
Interrealm Configuration”. The relationships are defined as follows: krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM allows the server in BAMBI.COM to accept tickets from FINANCE.JUNGLE.COM. krbtgt/IT.JUNGLE.COM@BAMBI.COM allows the server in IT.JUNGLE.COM to accept tickets from BAMBI.COM.
For interrealm authentication in the other direction, two-way hierarchical
interrealm authentication, you must also add these principals: krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM allows the server in FINANCE.JUNGLE.COM to accept tickets from BAMBI.COM. krbtgt/BAMBI.COM@IT.JUNGLE.COM allows the server in BAMBI.COM to accept tickets from IT.JUNGLE.COM.
Configuring
the Local RealmTo configure the local realm, consider the local realm as FINANCE.JUNGLE.COM and the intermediate realm as BAMBI.COM and complete the following steps in the FINANCE.JUNGLE.COM realm: Use the Kerberos administrative utility,
HP Kerberos Administrator, in the FINANCE.JUNGLE.COM realm, and add the krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM principal, which allows users in the FINANCE.JUNGLE.COM realm to authenticate with the server in the BAMBI.COM realm. Enable the following settings for this principal: Select all the Allow attributes. Clear all the Require attributes. Provide a password rather
than a random key and remember the password. Record the primary key type
and salt type. Record the password key version
number.
If the FINANCE.JUNGLE.COM realm also trusts the BAMBI.COM realm, add the krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM principal, which allows users in the BAMBI.COM realm to authenticate to the services in the FINANCE.JUNGLE.COM realm. Enable the same settings for this principal as for the
interrealm principal, krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM, as mentioned in step 1 in the procedure for configuring
the intermediate realm.
Configuring
the Intermediate RealmTo configure the intermediate realm, consider the
local realm as FINANCE.JUNGLE.COM , the intermediate realm as BAMBI.COM , the target realm as IT.JUNGLE.COM, and complete the following steps in the BAMBI.COM realm: Use the Kerberos administrative utility,
HP Kerberos Administrator, to add the krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM principal, which allows users in the FINANCE.JUNGLE.COM realm to authenticate with the server in the BAMBI.COM realm. Enable the same settings for the principal krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM as used for the principal krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM in the local realm. | | | |  | NOTE: Each intermediate realm has four keys if you are performing
two-way interrealm authentication. | | | | |
If the FINANCE.JUNGLE.COM realm also trusts the BAMBI.COM realm, add the krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM principal, which allows users in the BAMBI.COM realm to authenticate with the server in the FINANCE.JUNGLE.COM realm. Enable the same settings for this principal as for the
first krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM principal, with the same settings enabled as used
for the principal in the local realm. Add the krbtgt/IT.JUNGLE.COM@BAMBI.COM principal, which allows users in the BAMBI.COM realm to authenticate with the server in the IT.JUNGLE.COM realm. Enable the same settings for this principal as for the
first krbtgt/IT.JUNGLE.COM@BAMBI.COM principal, with the same settings enabled as used
for the principal in the local realm. If the BAMBI.COM realm also trusts the IT.JUNGLE.COM realm, add the krbtgt/BAMBI.COM@IT.JUNGLE.COM principal, which allows users in the IT.JUNGLE.COM realm to authenticate with the server in the BAMBI.COM realm. Enable the same settings for this principal as for the
first krbtgt/BAMBI.COM@IT.JUNGLE.COM principal, with the same settings enabled as used
for the principal in the local realm. Refer to step 2 in “Configuring
the Target Realm”.
Configuring
the Target RealmTo configure the target realm, consider the intermediate realm as BAMBI.COM , the target realm as IT.JUNGLE.COM and complete the following steps in the IT.JUNGLE.COM realm: Use the Kerberos administrative utility,
HP Kerberos Administrator, to add the krbtgt/IT.JUNGLE.COM@BAMBI.COM principal, which allows users in the BAMBI.COM realm to authenticate with the server in the IT.JUNGLE.COM realm. Enable the following settings for this principal: Provide the same password
that you used for krbtgt/IT.JUNGLE.COM@BAMBI.COM while configuring the intermediate realm. Select all Allow attributes. Clear all Require attributes. Record the primary key type
and salt type. Record the password key version
number.
If the BAMBI.COM realm also trusts the IT.JUNGLE.COM realm, add the krbtgt/BAMBI.COM@IT.JUNGLE.COM principal, which allows users in the IT.JUNGLE.COM realm to authenticate with the server in the BAMBI.COM realm.
|
Printable version
