Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Inter-realm
Hierarchical Inter-realm Trust
Chapter 8 253
Now VIBGYOR.INDIGO.COM has a direct trust relationship established
with both RED.BLUE.COM and GREEN.YELLOW.COM. Hence, RED.BLUE.COM
can obtain an inter-realm ticket through the intermediate realm,
VIBGYOR.INDIGO.COM. The client in RED.BLUE.COM requests for an
inter-realm ticket from VIBGYOR.INDIGO.COM, and can then use this
inter-realm ticket, that was obtained, to contact GREEN.YELLOW.COM for a
ticket to use a service in its realm.
Hierarchical Inter-realm Configuration
To configure realms to perform hierarchical inter-realm authentication,
the following steps are necessary in each realm - local realm,
intermediate realm(s), and target realm.
• Add an inter-realm principal (krbtgt/REALM2@REALM1) to the
principal database to allow the local realm to authenticate with the
intermediate realm and the intermediate realm to authenticate with
another intermediate or the target realm.
• If you also want the intermediate or target realm to authenticate
with the local realm or another intermediate realm, two-way, you
must add a second inter-realm principal
(krbtgt/REALM1@REALM2) to the database
These actions are described in detail in the following sections. The
example configuration in this section uses theinter-realmauthentication
principals shown in the figure below. The relationships are defined as
follows:
• krbtgt/BAMBI.COM@FINANCE.JUNGLE.COM allows the server in
BAMBI.COM to accept tickets from FINANCE.JUNGLE.COM