3 Cross-realm authentication
4 ==========================
6 In order for a KDC in one realm to authenticate Kerberos users in a
7 different realm, it must share a key with the KDC in the other realm.
8 In both databases, there must be krbtgt service principals for realms.
9 These principals should all have the same passwords, key version
10 numbers, and encryption types.
12 For example, if the administrators of ATHENA.MIT.EDU and EXAMPLE.COM
13 wanted to authenticate across the realms, they would run the following
14 commands on the KDCs in both realms::
16 shell%: kadmin.local -e "des3-hmac-sha1:normal des-cbc-crc:v4"
17 kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM
18 Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM:
19 Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM:
20 kadmin: addprinc -requires_preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU
21 Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU:
22 Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU:
25 .. note:: Even if most principals in a realm are generally created
26 with the **requires_preauth** flag enabled, this flag is not
27 desirable on cross-realm authentication keys because doing
28 so makes it impossible to disable preauthentication on a
29 service-by-service basis. Disabling it as in the example
32 .. note:: It is very important that these principals have good
33 passwords. MIT recommends that TGT principal passwords be
34 at least 26 characters of random ASCII text.
40 Please, provide your feedback at
41 krb5-bugs@mit.edu?subject=Documentation___db