RE: Kerby Update

["Zheng, Kai" <ka...@intel.com>]

+ Directory.

Regards,
Kai

-----Original Message-----
From: Zheng, Kai [mailto:kai.zheng@intel.com] 
Sent: Monday, October 23, 2017 10:38 AM
To: kerby@directory.apache.org
Subject: RE: Kerby Update

Cool!!

Thanks Jiajia & Frank for working on this this, cross realm trust support! I thought this makes Kerby a much further step, towards a decent and standalone Kerberos implementation.

-----Original Message-----
From: Li, Jiajia [mailto:jiajia.li@intel.com] 
Sent: Monday, October 23, 2017 9:22 AM
To: kerby@directory.apache.org
Subject: Kerby Update

Hi all,

Recently we have implemented the cross-realm authentication support, KDC in one realm can authenticate users in a different realm, so it allows client from another realm to access the cluster. Cross-realm authentication is accomplished by sharing a secret key between the two realms. In both backends should have the krbtgt service principals for realms with same passwords, key version numbers, and encryption types. We have used this feature in Hadoop cluster, after establishing cross realm trust between two secure Hadoop clusters with their own realms, copying data between two secure clusters can work now. And this support also can be used to build trust relationship with MIT Kerberos KDC and we have tested compatibility.

Here is the document about setting up cross realm:
https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md

Thanks,
Jiajia