"Inger, Slav (S.B.)" wrote: > > Final question for today: is it explicitly disallowed for separate realms > to map to a single DNS domain in [domain_realm] section?
Ususlly a server is only in one realm. The client machine will use the [domain_realm] ti figure out what realm it is in, and request a ticket for it from the server's realm. This might require the user to get a cross realm TGT. This happens under the covers. We have a > situation where users belonging to separate realms are in the same DNS > domain and cross-realm authentication for these users is a must. The realm of the user has very little to do with the realm of the server. Cross realm will get a ticket for the server in the server's realm. But on the server you may have to add a .k5login file to the user's home directory, indicating that a user from the other realm may use this local account. > When I > tested this, Kerberos would get confused and deny cross-realm authentication > requests. This is not clear, any error messages? > Just making sure I wasn't missing anything when I tried it. If > this is currently not an option, some thought needs to be given to > scalability issues Kerberos faces in large heterogenous environments. I use cross realm every day. You must be missing something. > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
