In my ongoing saga of renaming our domain, I'm almost to the point of
bringing up a second set of kerberos servers for the new realm. As part of
the transition, ideally I would like to set up a trust between them so users
could authenticate to either realm and transparently access services in the
other.
If I understand correctly, I need to create the following two principles in
both realms:
krbtgt/cpp....@csupomona.edu
krbtgt/csupomona....@cpp.edu
and add the following to the krb5.conf so they talk directly rather than
trying to go hierarchically through EDU:
[capaths]
CSUPOMONA.EDU = {
CPP.EDU = .
}
CPP.EDU = {
CSUPOMONA.EDU = .
}
Both realms will have exactly the same set of users. Are these the only two
steps needed to allow a principal u...@csupomona.edu to directly access
services in the CPP.EDU realm transparently? Or is there something else I
need to do to allow transparency during the migration?
Thanks much.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
