| Document Information Preface Part I Security Overview 1.  Security Services (Overview) Part II System, File, and Device Security 2.  Managing Machine Security (Overview) 3.  Controlling Access to Systems (Tasks) 4.  Virus Scanning Service (Tasks) 5.  Controlling Access to Devices (Tasks) 6.  Using the Basic Audit Reporting Tool (Tasks) 7.  Controlling Access to Files (Tasks) Part III Roles, Rights Profiles, and Privileges 8.  Using Roles and Privileges (Overview) 9.  Using Role-Based Access Control (Tasks) 10.  Role-Based Access Control (Reference) 11.  Privileges (Tasks) 12.  Privileges (Reference) Part IV Solaris Cryptographic Services 13.  Solaris Cryptographic Framework (Overview) 14.  Solaris Cryptographic Framework (Tasks) 15.  Solaris Key Management Framework Part V Authentication Services and Secure Communication 16.  Using Authentication Services (Tasks) 17.  Using PAM 18.  Using SASL 19.  Using Solaris Secure Shell (Tasks) 20.  Solaris Secure Shell (Reference) Part VI Kerberos Service 21.  Introduction to the Kerberos Service 22.  Planning for the Kerberos Service 23.  Configuring the Kerberos Service (Tasks) Configuring the Kerberos Service (Task Map) Configuring Additional Kerberos Services (Task Map) Configuring KDC Servers Configuring Kerberos Network Application Servers Configuring Kerberos NFS Servers Configuring Kerberos Clients Synchronizing Clocks Between KDCs and Kerberos Clients Swapping a Master KDC and a Slave KDC Administering the Kerberos Database Managing a KDC on an LDAP Directory Server Increasing Security on Kerberos Servers 24.  Kerberos Error Messages and Troubleshooting 25.  Administering Kerberos Principals and Policies (Tasks) 26.  Using Kerberos Applications (Tasks) 27.  The Kerberos Service (Reference) Part VII Solaris Auditing 28.  Solaris Auditing (Overview) 29.  Planning for Solaris Auditing 30.  Managing Solaris Auditing (Tasks) 31.  Solaris Auditing (Reference) Glossary Index |       	 
             
Configuring Cross-Realm AuthenticationYou have several ways of linking realms together so that users in
one realm can be authenticated in another realm. Cross-realm authentication is accomplished by establishing
a secret key that is shared between the two realms. The relationship of
the realms can be either hierarchal or directional (see Realm Hierarchy). How to Establish Hierarchical Cross-Realm AuthenticationThe example in this procedure uses two realms, ENG.EAST.EXAMPLE.COM and EAST.EXAMPLE.COM. Cross-realm
authentication will be established in both directions. This procedure must be completed on the
master KDC in both realms.  Before You BeginThe master KDC for each realm must be configured. To fully test
the authentication process, several Kerberos clients must be configured. 
Become superuser on the first master KDC.Create ticket-granting ticket service principals for the two realms.You must log in with one of the admin principal names that was
created when you configured the master KDC. # /usr/sbin/kadmin -p kws/admin
Enter password: <Type kws/admin password>
kadmin: addprinc krbtgt/ENG.EAST.EXAMPLE.COM@EAST.EXAMPLE.COM
Enter password for principal krgtgt/ENG.EAST.EXAMPLE.COM@EAST.EXAMPLE.COM: <Type password>
kadmin: addprinc krbtgt/EAST.EXAMPLE.COM@ENG.EAST.EXAMPLE.COM
Enter password for principal krgtgt/EAST.EXAMPLE.COM@ENG.EAST.EXAMPLE.COM: <Type password>
kadmin: quit 
 Note - The password that is specified for each service principal must be identical in
both KDCs. Thus, the password for the service principal krbtgt/ENG.EAST.EXAMPLE.COM@EAST.EXAMPLE.COM must be
the same in both realms. 
Add entries to the Kerberos configuration file (krb5.conf) to define domain names for
every realm.# cat /etc/krb5/krb5.conf
[libdefaults]
 .
 .
[domain_realm]
        .eng.east.example.com = ENG.EAST.EXAMPLE.COM
        .east.example.com = EAST.EXAMPLE.COMIn this example, domain names for the ENG.EAST.EXAMPLE.COM and EAST.EXAMPLE.COM realms are
defined. It is important to include the subdomain first, because the file is
searched top down.Copy the Kerberos configuration file to all clients in this realm.For cross-realm authentication to work, all systems (including slave KDCs and other servers)
must have the new version of the Kerberos configuration file (/etc/krb5/krb5.conf)  installed.Repeat all of these steps in the second realm. How to Establish Direct Cross-Realm AuthenticationThe example in this procedure uses two realms, ENG.EAST.EXAMPLE.COM and SALES.WEST.EXAMPLE.COM. Cross-realm
authentication will be established in both directions. This procedure must be completed on the
master KDC in both realms.  Before You BeginThe master KDC for each realm must be configured. To fully test
the authentication process, several Kerberos clients must be configured. 
Become superuser on one of the master KDC servers.Create ticket-granting ticket service principals for the two realms.You must log in with one of the admin principal names that was
created when you configured the master KDC. # /usr/sbin/kadmin -p kws/admin
Enter password: <Type kws/admin password>
kadmin: addprinc krbtgt/ENG.EAST.EXAMPLE.COM@SALES.WEST.EXAMPLE.COM
Enter password for principal 
  krgtgt/ENG.EAST.EXAMPLE.COM@SALES.WEST.EXAMPLE.COM: <Type the password>
kadmin: addprinc krbtgt/SALES.WEST.EXAMPLE.COM@ENG.EAST.EXAMPLE.COM
Enter password for principal 
  krgtgt/SALES.WEST.EXAMPLE.COM@ENG.EAST.EXAMPLE.COM: <Type the password>
kadmin: quit 
 Note - The password that is specified for each service principal must be identical in
both KDCs. Thus, the password for the service principal krbtgt/ENG.EAST.EXAMPLE.COM@SALES.WEST.EXAMPLE.COM must be
the same in both realms. 
Add entries in the Kerberos configuration file to define the direct path to
the remote realm.This example shows the clients in the ENG.EAST.EXAMPLE.COM realm. You would need to swap
the realm names to get the appropriate definitions in the SALES.WEST.EXAMPLE.COM realm. # cat /etc/krb5/krb5.conf
[libdefaults]
 .
 .
[capaths]
    ENG.EAST.EXAMPLE.COM = {
        SALES.WEST.EXAMPLE.COM = .
    }
    SALES.WEST.EXAMPLE.COM = {
         ENG.EAST.EXAMPLE.COM = .
    }Copy the Kerberos configuration file to all clients in the current realm.For cross-realm authentication to work, all systems (including slave KDCs and other servers)
must have the new version of the Kerberos configuration file (/etc/krb5/krb5.conf) installed.Repeat all of these steps for the second realm. |