Question about (no-)cross-realm trust

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about (no-)cross-realm trust

Vipin Rathor-2
Hello Kerberos World!
I am trying to develop an application which can talk to a kerberized
service running in a remote realm. I am aware that this would ideally
require having trust (one way or two way) between my current realm and
remote realm. Additionally, we want to avoid having trust as a requirement
(the folks maintaining remote realm are quite 'possessive' about their
realm). Thinking more about this, I stumbled on this premise which I want
to validate through you the experts!
What if my application can get two TGTs from both the realms and instead of
getting a cross-realm TGS, it can use the respective TGTs to talk to
respective realms?
Am I overlooking something here? Is this a sane thing to do in Kerberos
terms?

Regards,
VR
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Question about (no-)cross-realm trust

Greg Hudson
On 9/17/19 10:22 PM, Vipin Rathor wrote:
> I am trying to develop an application which can talk to a kerberized
> service running in a remote realm. I am aware that this would ideally
> require having trust (one way or two way) between my current realm and
> remote realm. Additionally, we want to avoid having trust as a requirement
> (the folks maintaining remote realm are quite 'possessive' about their
> realm).

Active Directory uses the term "trust" to describe cross-realm
relationships, but there is no requirement for trust between Kerberos 5
realms which share cross-realm keys.  Application servers do need to be
careful to grant an appropriate level of privilege (which might mean no
access at all) to clients in foreign realms.

(I can't tell from the question whether this is a primarily Microsoft
environment or whether the environment uses Heimdal or MIT krb5.)

> What if my application can get two TGTs from both the realms and instead of
> getting a cross-realm TGS, it can use the respective TGTs to talk to
> respective realms?

Yes, an application can have two credential caches containing
credentials for different client principals.  These caches can be
managed individually, or as part of a cache collection:

http://web.mit.edu/kerberos/krb5-latest/doc/basic/ccache_def.html#collections-of-caches
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Question about (no-)cross-realm trust

Vipin Rathor-2
Thanks Greg for clarifying. Good to know that 'trust' is specific to MS AD.
Actually the "1.2. Cross-Realm Operation
<https://tools.ietf.org/html/rfc4120#section-1.2>" section in RFC 4120 was
throwing me off.
I also found & read the memo [RFC-5868] Problem Statement on the
Cross-Realm Operation of Kerberos <https://tools.ietf.org/html/rfc5868>
which discusses the problems with cross-realm operations.

Oh and my question was related to MIT KDC and FreeIPA.
Thanks again, really appreciate it!

Regards,
VR

On Wed, Sep 18, 2019 at 10:32 AM Greg Hudson <[hidden email]> wrote:

> On 9/17/19 10:22 PM, Vipin Rathor wrote:
> > I am trying to develop an application which can talk to a kerberized
> > service running in a remote realm. I am aware that this would ideally
> > require having trust (one way or two way) between my current realm and
> > remote realm. Additionally, we want to avoid having trust as a
> requirement
> > (the folks maintaining remote realm are quite 'possessive' about their
> > realm).
>
> Active Directory uses the term "trust" to describe cross-realm
> relationships, but there is no requirement for trust between Kerberos 5
> realms which share cross-realm keys.  Application servers do need to be
> careful to grant an appropriate level of privilege (which might mean no
> access at all) to clients in foreign realms.
>
> (I can't tell from the question whether this is a primarily Microsoft
> environment or whether the environment uses Heimdal or MIT krb5.)
>
> > What if my application can get two TGTs from both the realms and instead
> of
> > getting a cross-realm TGS, it can use the respective TGTs to talk to
> > respective realms?
>
> Yes, an application can have two credential caches containing
> credentials for different client principals.  These caches can be
> managed individually, or as part of a cache collection:
>
>
> http://web.mit.edu/kerberos/krb5-latest/doc/basic/ccache_def.html#collections-of-caches
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos