 |
» |
|
|
|
Hierarchical inter-realm authentication is used when one realm
does not have a direct path to its destination realm, but has a
path to an intermediate realms. A Hierarchical
Chain of Trust | |
Inter-realm trust can be transitive,
for example if realm A trusts B and B trusts C,
then a client in A can get a ticket from C by
following the trust path from A to B to C. For example, realm 1 could be X.Y.A and
realm 2 could be X.Y.C, and realm 3 could
be X.Y.B with the following direct trust
relationships established between them. Realm X.Y.A has a
direct trust link to realm X.Y.B. Realm X.Y.B has
a direct trust link to realm X.Y.C.
In such a configuration, the client "walks" the realm tree
from node X.Y.A to X.Y.C by
requesting an inter-realm TGT from each intermediate realm, X.Y.B,
until it obtains the service ticket from X.Y.C. Although creating such hierarchical trusts is more efficient
than attempting to configure each server with knowledge of all possible inter-realm
trust relationships, the client must still perform the realm tree
computation, map each realm to a security server hostname, and request
an inter-realm TGT from each realm in the path. In addition, the Kerberos protocol requires the client to
know the exact realm of each service it wishes to authenticate to.
In the last example, the client in X.Y.A must
know that the service it wants to access belongs to realm X.Y.C. Hierarchical
Inter-realm Example | |
Let us assume that a client in the realm RED.BLUE.COM needs
to authenticate to a service located in the realm GREEN.YELLOW.COM,
but realm RED.BLUE.COM does not have a direct
trust relationship established with the realm GREEN.YELLOW.COM. Now VIBGYOR.INDIGO.COM has a direct
trust relationship established with both RED.BLUE.COM and GREEN.YELLOW.COM.
Hence, RED.BLUE.COM can obtain an inter-realm
ticket through the intermediate realm, VIBGYOR.INDIGO.COM.
The client in RED.BLUE.COM requests for an inter-realm
ticket from VIBGYOR.INDIGO.COM, and can then
use this inter-realm ticket, that was obtained, to contact GREEN.YELLOW.COM for
a ticket to use a service in its realm. Hierarchical
Inter-realm Configuration | |
To configure realms to perform hierarchical inter-realm authentication, the
following steps are necessary in each realm - local realm, intermediate
realm(s), and target realm. Add
an inter-realm principal (krbtgt/REALM2@REALM1) to
the principal database to allow the local realm to authenticate
with the intermediate realm and the intermediate realm to authenticate
with another intermediate or the target realm. If you also want the intermediate
or target realm to authenticate with the local realm or another
intermediate realm, two-way, you must add a second inter-realm
principal (krbtgt/REALM1@REALM2) to the database
These actions are described in detail in the following sections.
The example configuration in this section uses the inter-realm authentication principals
shown in the figure below. The relationships are defined as follows: krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM allows
the server in BAMBI.COM to accept tickets
from FINANCE.JUNGLE.COM krbtgt/IT.JUNGLE.COM@BAMBI.COM allows
the server in IT.JUNGLE.COM to accept tickets
from BAMBI.COM
For inter-realm authentication in the other direction, two-way hierarchical
inter-realm authentication, these principals must also be added: krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM allows
the server in FINANCE.JUNGLE.COM to accept
tickets from BAMBI.COM krbtgt/BAMBI.COM@IT.JUNGLE.COM allows
the server in BAMBI.COM to accept tickets
from IT.JUNGLE.COM
Steps for configuring
the Local Realm For these steps, the local realm is FINANCE.JUNGLE.COM and
the intermediate realm is BAMBI.COM. In the FINANCE.JUNGLE.COM realm: Using the Kerberos
Server's Administrator in
the FINANCE.JUNGLE.COM realm, add the
krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM principal,
which allows users in the FINANCE.JUNGLE.COM realm
to authenticate with the server in the BAMBI.COM realm. Enable the following settings for this principal: Select all Allow
attributes. Clear all Require
attributes. Provide a password rather
than a random key. Remember the password. Record the primary
key type and salt type. Record the password key version
number.
If the FINANCE.JUNGLE.COM realm
also trusts the BAMBI.COM realm, add the
krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM principal,
which allows users in the BAMBI.COM realm
to authenticate to the services in the FINANCE.JUNGLE.COM realm. Enable the same settings
for this principal as for the inter-realm principal, krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM,
as mentioned in Step 2.1. Exit Administrator.
Steps for configuring
the Intermediate Realm(s) For these steps, the name of the local realm is FINANCE.JUNGLE.COM,
the name of the intermediate realm is BAMBI.COM,
and the name of the target realm is IT.JUNGLE.COM. | | | |  | NOTE: Each intermediate realm has four keys if you are performing
two-way inter-realm authentication. | | | | |
In the BAMBI.COM realm: Using the Kerberos
Server's Administrator, add the krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM principal,
which allows users in the FINANCE.JUNGLE.COM realm
to authenticate with the server in the BAMBI.COM realm. Enable the same settings for the principal, krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM,
as used for the principal, krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM,
in the local realm. Refer to Step 1.1. If the FINANCE.JUNGLE.COM realm
also trusts the BAMBI.COM realm, add the
krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM principal,
which allows users in the BAMBI.COM realm
to authenticate with the server in the FINANCE.JUNGLE.COM realm. Enable the same settings
for this principal as for the first krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM,
with the same settings enabled as used for the principal in the
local realm. Refer to Step 1.3. Add the krbtgt/IT.JUNGLE.COM@BAMBI.COM principal,
which allows users in the BAMBI.COM realm
to authenticate with the server in the IT.JUNGLE.COM realm. Enable the same settings
for this principal as for the first krbtgt/IT.JUNGLE.COM@BAMBI.COM,
with the same settings enabled as used for the principal in the
local realm. Refer to Step 3.1. If the BAMBI.COM realm
also trusts the IT.JUNGLE.COM realm, add the
krbtgt/BAMBI.COM@IT.JUNGLE.COM principal,
which allows users in the IT.JUNGLE.COM realm
to authenticate with the Server in the BAMBI.COM realm. Enable the same settings
for this principal as for the first krbtgt/BAMBI.COM@IT.JUNGLE.COM,
with the same settings enabled as used for the principal in the
local realm. Refer to Step 3.2. Exit Administrator.
Steps for configuring
the Target Realm For these steps, the name of the intermediate realm
is BAMBI.COM and the name of the target realm
is IT.JUNGLE.COM. In the IT.JUNGLE.COM realm: Using HP's
Kerberos Server Administrator,
add the krbtgt/IT.JUNGLE.COM@BAMBI.COM principal,
which allows users in the BAMBI.COM realm
to authenticate with the server in the IT.JUNGLE.COM realm. Enable the following settings for this principal: Provide the same password
used for the krbtgt/IT.JUNGLE.COM@BAMBI.COM in
the intermediate realm as mentioned in Step 2.4 and 2.5. Select all Allow
attributes. Clear all Require
attributes. Record the primary
key type and salt type. Record the password key version
number.
If the BAMBI.COM realm
also trusts the IT.JUNGLE.COM realm, add the
krbtgt/BAMBI.COM@IT.JUNGLE.COM principal,
which allows users in the IT.JUNGLE.COM realm
to authenticate with the server in the BAMBI.COM realm. Exit Administrator.
|
Printable version
