Manualshelf

Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
251252253254255256257258259260
Inter-realm
Hierarchical Inter-realm Trust
Chapter 8252
Hierarchical Inter-realm Trust
Hierarchical inter-realm authentication is used when one realm does not
have a direct path to its destination realm, but has a path to an
intermediate realms.
A Hierarchical Chain of Trust
Inter-realm trust can be transitive, for example if realm A trusts B and B
trusts C, then a client in A can get a ticket from C by following the trust
path from A to B to C.
For example, realm 1 could be X.Y.A and realm 2 could be X.Y.C, and
realm 3 could be X.Y.B with the following direct trust relationships
established between them.
Realm X.Y.A has a direct trust link to realm X.Y.B.
Realm X.Y.B has a direct trust link to realm X.Y.C.
In such a configuration, the client "walks" the realm tree from node
X.Y.A to X.Y.C by requesting an inter-realm TGT from each
intermediate realm, X.Y.B, until it obtains the service ticket from X.Y.C.
Although creating such hierarchical trusts is more efficient than
attempting to configure each server with knowledge of all possible
inter-realm trust relationships, the client must still perform the realm
tree computation, map each realm to a security server hostname, and
request an inter-realm TGT from each realm in the path.
In addition, the Kerberos protocol requires the client to know the exact
realm of each service it wishes to authenticate to. In the last example,
the client in X.Y.A must know that the service it wants to access belongs
to realm X.Y.C.
Hierarchical Inter-realm Example
Let us assume that a client in the realm RED.BLUE.COM needs to
authenticate to a service located in the realm GREEN.YELLOW.COM, but
realm RED.BLUE.COM does not have a direct trust relationship
established with the realm GREEN.YELLOW.COM.