Is [capaths] section necessary for cross-realm kerberos auth?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Is [capaths] section necessary for cross-realm kerberos auth?

pratyush parimal
Hi all,

I'm trying to setup cross-realm between a KDC in EXAMPLE.COM (containing my
users) to a KDC in HADOOP.COM (containing my services).

I read from manuals (like the ones on
https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/capaths.html
  and
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-kerberos-crossrealm.html)
  that you have to 2 things in order to achieve this:

(1) add a "trust" principal called krbtgt/[hidden email] to both
the KDC's.
(2) add a "capaths" section to the EXAMPLE.COM KDC like so:

[capaths]
 HADOOP.COM = {
  EXAMPLE.COM = .
 }

However, in practice I found that my setup works even without step (2). I'm
wondering if the "capaths" is deprecated or something? Or is it needed for
setups that are more complicated in some way?

Thanks in advance!
Pratyush Parimal.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Is [capaths] section necessary for cross-realm kerberos auth?

Greg Hudson
On 08/25/2017 11:38 AM, pratyush parimal wrote:

> (2) add a "capaths" section to the EXAMPLE.COM KDC like so:
>
> [capaths]
>  HADOOP.COM = {
>   EXAMPLE.COM = .
>  }
>
> However, in practice I found that my setup works even without step (2). I'm
> wondering if the "capaths" is deprecated or something? Or is it needed for
> setups that are more complicated in some way?

capaths are generally not required when there are only two realms.
HADOOP.COM can safely assume that EXAMPLE.COM is qualified to
authenticate users in its own realm.  capaths would be required if
authentication between the two realms went through a third realm which
was not hierarchically related to the two realms.

The capaths example above does (I believe) have the modest effect of
preventing a hypothetical COM realm from acting as an authentication
intermediary between HADOOP.COM and EXAMPLE.COM.  But of course there
will never be a legitimate Kerberos realm named COM.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos