DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

(heimdal.info.gz) Transit policy

Info Catalog (heimdal.info.gz) Cross realm (heimdal.info.gz) Setting up a realm (heimdal.info.gz) Setting up DNS 
 
 4.14 Transit policy
 ===================
 
 If you want to use cross realm authentication through an intermediate
 realm, it must be explicitly allowed by either the KDCs or the server
 receiving the request. This is done in `krb5.conf' in the `[capaths]'
 section.
 
 When the ticket transits through a realm to another realm, the
 destination realm adds its peer to the "transited-realms" field in the
 ticket. The field is unordered, since there is no way to know if know
 if one of the transited-realms changed the order of the list.
 
 The syntax for `[capaths]' section:
 
      [capaths]
              CLIENT-REALM = {
                      SERVER-REALM = PERMITTED-CROSS-REALMS ...
              }
 
 The realm `STACKEN.KTH.SE' allows clients from `SU.SE' and `DSV.SU.SE'
 to cross it. Since `STACKEN.KTH.SE' only has direct cross realm setup
 with `KTH.SE', and `DSV.SU.SE' only has direct cross realm setup with
 `SU.SE' they need to use both `SU.SE' and `KTH.SE' as transit realms.
 
      [capaths]
      	SU.SE = {
                          STACKEN.KTH.SE = KTH.SE
      	}
      	DSV.SU.SE = {
                          STACKEN.KTH.SE = SU.SE KTH.SE
      	}
 
 The order of the `PERMITTED-CROSS-REALMS' is not important when doing
 transit cross realm verification.
 
 However, the order is important when the `[capaths]' section is used to
 figure out the intermediate realm to go to when doing multi-realm
 transit. When figuring out the next realm, the first realm of the list
 of `PERMITTED-CROSS-REALMS' is chosen. This is done in both the client
 kerberos library and the KDC.
Info Catalog (heimdal.info.gz) Cross realm (heimdal.info.gz) Setting up a realm (heimdal.info.gz) Setting up DNS
automatically generated byinfo2html