Intention
I want to set up 2 Kerberos realms where one can authenticate the users in the other.
Current Setup
I have 2 Kerberos Servers (ad.somedomain.com and kerb.foo.bar)
I have my users on kerb.foo.bar
| User |
|---|
| user1 |
| alice |
| bob |
I can kinit user1@KERB.FOO.BAR , alice@KERB.FOO.BAR and bob@KERB.FOO.BAR and get tgt for all of them when I klist.
I want
I want to use the AD.SOMEDOMAIN.COM as a sub realm or the ad.somedomain.com as an intermediate server.
I want to be able to kinit user1@AD.SOMEDOMAIN.COM, alice@AD.SOMEDOMAIN.COM or bob@AD.SOMEDOMAIN.COM and have it grant tickets and authenticate.
ad.somedomain.com ←→ kerb.foo.bar
↑
user1@ad.somedomain.com
Clarification
I am unsure of how to:
Set up the trust relationship between
ad.somedomain.comandkerb.foo.barHow to setup the users in such a way to allow what I want to accomplish
How to set up the client
krb5.confto properly use this setup.(Optional) Is there a difference in setting this up as a "one-way" trust?
I don't think I need this relationship to happen in reverse:
Where I have users inad.somedomain.comthat I want authenticated inkerb.foo.bar
What I have done
I have looked at this part of the MIT Documentation on Kerberos but I must be doing something wrong.
It might be that my krb5.conf is set up incorrectly or that I have my [capaths] wrong.
krb5.conf
[libdefaults]
forwardable = true
default_realm = KERB.FOO.BAR
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
KERB.FOO.BAR = {
kdc = kerb.foo.bar
admin_server = kerb.foo.bar
}
AD.SOMEDOMAIN.COM = {
kdc = ad.somedomain.com
admin_server = ad.somedomain.com
}
[domain_realm]
.ad.somedomain.com = AD.SOMEDOMAIN.COM
ad.somedomain.com = AD.SOMEDOMAIN.COM
.kerb.foo.bar = KERB.FOO.BAR
kerb.foo.bar = KERB.FOO.BAR
[capaths]
AD.SOMEDOMAIN.COM = {
KERB.FOO.BAR = .
}
