Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Inter-realm
Configuring Direct Trust Relationships
Chapter 8 251
The Kerberos Server returns a failure for any of the following reasons:
• If the client authentication fails.
• It does not recognize the realm listed in the inter-realm ticket, that
is, a proper trust relationship between the realms has not been
established.
• It does not recognize the requested service principal, and has no
further trust relationships for which it returns an inter-realm ticket.
Direct Trust Relationship Example
To set up a cross-realm authentication between the two realms
ADMIN.BAMBI.COM and IT.BAMBI.COM, we need to create two special
principals on each KDC as shown below:
krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM
krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM
The above special principal indicates a two-way trust relationship. If you
want to configure only a one-way trust relationship, you need to create
the following special principal:
krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM
The passwords of the corresponding principals has to be the same on
both the KDCs. But, the different cross-realm principals do not have to
have matching passwords.
For example,
krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM has to have the same
password on each KDC, but
krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM and
krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM do not have toshare the same
password.