Thanks Greg for clarifying. Good to know that 'trust' is specific to MS AD. Actually the "1.2. Cross-Realm Operation <https://tools.ietf.org/html/rfc4120#section-1.2>" section in RFC 4120 was throwing me off. I also found & read the memo [RFC-5868] Problem Statement on the Cross-Realm Operation of Kerberos <https://tools.ietf.org/html/rfc5868> which discusses the problems with cross-realm operations.
Oh and my question was related to MIT KDC and FreeIPA. Thanks again, really appreciate it! Regards, VR On Wed, Sep 18, 2019 at 10:32 AM Greg Hudson <[email protected]> wrote: > On 9/17/19 10:22 PM, Vipin Rathor wrote: > > I am trying to develop an application which can talk to a kerberized > > service running in a remote realm. I am aware that this would ideally > > require having trust (one way or two way) between my current realm and > > remote realm. Additionally, we want to avoid having trust as a > requirement > > (the folks maintaining remote realm are quite 'possessive' about their > > realm). > > Active Directory uses the term "trust" to describe cross-realm > relationships, but there is no requirement for trust between Kerberos 5 > realms which share cross-realm keys. Application servers do need to be > careful to grant an appropriate level of privilege (which might mean no > access at all) to clients in foreign realms. > > (I can't tell from the question whether this is a primarily Microsoft > environment or whether the environment uses Heimdal or MIT krb5.) > > > What if my application can get two TGTs from both the realms and instead > of > > getting a cross-realm TGS, it can use the respective TGTs to talk to > > respective realms? > > Yes, an application can have two credential caches containing > credentials for different client principals. These caches can be > managed individually, or as part of a cache collection: > > > http://web.mit.edu/kerberos/krb5-latest/doc/basic/ccache_def.html#collections-of-caches > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
