You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ze...@apache.org on 2017/10/16 05:19:47 UTC
directory-kerby git commit: DIRKRB-655 Add setting up cross realm
authentication guide.
Repository: directory-kerby
Updated Branches:
refs/heads/cross-realm 69752e323 -> 9eb294fcc
DIRKRB-655 Add setting up cross realm authentication guide.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/9eb294fc
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/9eb294fc
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/9eb294fc
Branch: refs/heads/cross-realm
Commit: 9eb294fcc2a8bf742ac659b43b79b271babb248c
Parents: 69752e3
Author: zenglinx <ze...@apache.org>
Authored: Mon Oct 16 13:18:51 2017 +0800
Committer: zenglinx <ze...@apache.org>
Committed: Mon Oct 16 13:18:51 2017 +0800
----------------------------------------------------------------------
docs/cross-realm.md | 71 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 71 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/9eb294fc/docs/cross-realm.md
----------------------------------------------------------------------
diff --git a/docs/cross-realm.md b/docs/cross-realm.md
new file mode 100644
index 0000000..9d68818
--- /dev/null
+++ b/docs/cross-realm.md
@@ -0,0 +1,71 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+cross-realm
+============
+
+### Synchronize time of realms
+The time of realms should be synchronized.
+
+### Add the same special principals in realms
+```
+cd kerby-dist/kdc-dist
+sh bin/kadmin.sh [server-conf-dir] -k [keytab]
+// A.EXAMPLE.COM realm to access a service in the B.EXAMPLE.COM realm
+KadminTool.local: addprinc -pw [same-password] krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM
+// Make sure that both principals have matching key version numbers and encryption types
+KadminTool.local: getprinc krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM
+```
+
+### Configure krb5.conf of realms
+
+* config realms and domain_realms sections, make sure the realms are contained.
+
+* config capaths section, which contains the realm chain.
+
+An example of krb5.conf:
+```
+[realms]
+ A.EXAMPLE.COM = {
+ kdc = A.EXAMPLE.COM
+ }
+ B.EXAMPLE.COM = {
+ kdc = B.EXAMPLE.COM
+ }
+
+[domain_realm]
+ .A.EXAMPLE.COM = a.example.com
+ A.EXAMPLE.COM = a.example.com
+ .B.EXAMPLE.COM = b.example.com
+ B.EXAMPLE.COM = b.example.com
+
+[capaths]
+ A.EXAMPLE.COM = {
+ B.EXAMPLE.COM = .
+ }
+ B.EXAMPLE.COM = {
+ A.EXAMPLE.COM = .
+ }
+```
+
+### Validate
+```
+cd kerby-dist/tool-dist
+sh bin/kinit.sh -conf [client-conf-dir] -c [credential-cache-of-local-realm] -S [principal-name-of-remote-realm]
+```