diff options
| author | Ben Kaduk <kaduk@mit.edu> | 2012-10-05 12:12:47 -0400 |
|---|---|---|
| committer | Ben Kaduk <kaduk@mit.edu> | 2012-10-11 10:59:45 -0400 |
| commit | d2f5272a5a241e215e19ce5564088ebd158cc3d1 (patch) | |
| tree | 30589c740a8e37fca174777e289aee9492bb799d | |
| parent | cf831d11cd766267e9deb398a6ea57280033b822 (diff) | |
| download | krb5-d2f5272a5a241e215e19ce5564088ebd158cc3d1.tar.gz krb5-d2f5272a5a241e215e19ce5564088ebd158cc3d1.tar.xz krb5-d2f5272a5a241e215e19ce5564088ebd158cc3d1.zip | |
Move cross-realm info to the cross-realm section
It's really not appropriate for the "examples" subsection of
"Adding, modifying and deleting principals".
While here, update the enctype recommendation for cross-realm principals
to something that does not include weak crypto.
| -rw-r--r-- | doc/rst_source/krb_admins/database.rst | 26 |
1 files changed, 10 insertions, 16 deletions
diff --git a/doc/rst_source/krb_admins/database.rst b/doc/rst_source/krb_admins/database.rst index 4567c0536..65afebf7c 100644 --- a/doc/rst_source/krb_admins/database.rst +++ b/doc/rst_source/krb_admins/database.rst @@ -140,16 +140,6 @@ type the following:: Principal "david@ATHENA.MIT.EDU" created. kadmin: -If you need cross-realm authentication, you will need to add -principals for the other realm's TGT to each realm. For example, if -you need to do cross-realm authentication between the realms -``ATHENA.MIT.EDU`` and ``EXAMPLE.COM``, you would need to add the -principals ``krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU`` and -``krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM`` to both databases. You need to -be sure the passwords and the key version numbers (kvno) are the same -in both databases. This may require explicitly setting the kvno with -the **-kvno** option. See :ref:`xrealm_authn` for more details. - If you want to delete a principal :: kadmin: delprinc jennifer @@ -631,15 +621,19 @@ Cross-realm authentication In order for a KDC in one realm to authenticate Kerberos users in a different realm, it must share a key with the KDC in the other realm. -In both databases, there must be krbtgt service principals for realms. +In both databases, there must be krbtgt service principals for both realms. +For example, if you need to do cross-realm authentication between the realms +``ATHENA.MIT.EDU`` and ``EXAMPLE.COM``, you would need to add the +principals ``krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU`` and +``krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM`` to both databases. These principals must all have the same passwords, key version -numbers, and encryption types. +numbers, and encryption types; this may require explicitly setting +the key version number with the **-kvno** option. -For example, if the administrators of ATHENA.MIT.EDU and EXAMPLE.COM -wanted to authenticate across the realms, they would run the following -commands on the KDCs in both realms:: +In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators +would run the following commands on the KDCs in both realms:: - shell%: kadmin.local -e "des3-hmac-sha1:normal des-cbc-crc:v4" + shell%: kadmin.local -e "aes256-cts:normal" kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: |