Managing Multiple Realms
Configuring Direct Trust Relationships
Chapter 10280
• The Kerberos server does not recognize the realm listed in the
interrealm ticket, that is, when a proper trust relationship between
the realms is not established.
• The Kerberos server does not recognize the requested service
principal, and has no further trust relationships for which it returns
an interrealm ticket.
To set up a cross-realm authentication between the two realms
ADMIN.BAMBI.COM and IT.BAMBI.COM, you need to create two special
principals on each Key Distribution Center (KDC), as shown in the
following example:
krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM
krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM
This special principal indicates a two-way trust relationship. If you want
to configure only a one-way trust relationship, you need to create the
following special principal:
krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM
The passwords of the corresponding principals must be the same on both
the KDCs. However, the different cross-realm principals do not have to
have matching passwords.
For example, krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM must have the
same password on each KDC, but
krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM and
krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM do not have to share the same
password.
