(heimdal.info) Transit policy
Info Catalog
(heimdal.info) Cross realm
(heimdal.info) Setting up a realm
(heimdal.info) Setting up DNS
Transit policy
==============
If you want to use cross realm authentication through an intermediate
realm it must be explicitly allowed by either the KDCs or the server
receiving the request. This is done in `krb5.conf' in the `[capaths]'
section.
When the ticket transits through a realm to another realm, the
destination realm adds its peer to the "transited-realms" field in the
ticket. The field is unordered, this is since there is no way to know if
know if one of the transited-realms changed the order of the list.
The syntax for `[capaths]' section:
[capaths]
CLIENT-REALM = {
SERVER-REALM = PERMITTED-CROSS-REALMS ...
}
The realm `STACKEN.KTH.SE' allows clients from `SU.SE' and `DSV.SU.SE'
to cross in. Since `STACKEN.KTH.SE' only have direct cross realm with
`KTH.SE', and `DSV.SU.SE' only have direct cross realm with `SU.SE'
they need to use both `SU.SE' and `KTH.SE' as transit realms.
[capaths]
SU.SE = {
STACKEN.KTH.SE = KTH.SE
}
DSV.SU.SE = {
STACKEN.KTH.SE = SU.SE KTH.SE
}
Info Catalog
(heimdal.info) Cross realm
(heimdal.info) Setting up a realm
(heimdal.info) Setting up DNS
automatically generated byinfo2html