directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: Kerby Update
Date Mon, 23 Oct 2017 02:37:48 GMT
Cool!!

Thanks Jiajia & Frank for working on this this, cross realm trust support! I thought this
makes Kerby a much further step, towards a decent and standalone Kerberos implementation.

-----Original Message-----
From: Li, Jiajia [mailto:jiajia.li@intel.com] 
Sent: Monday, October 23, 2017 9:22 AM
To: kerby@directory.apache.org
Subject: Kerby Update

Hi all,

Recently we have implemented the cross-realm authentication support, KDC in one realm can
authenticate users in a different realm, so it allows client from another realm to access
the cluster. Cross-realm authentication is accomplished by sharing a secret key between the
two realms. In both backends should have the krbtgt service principals for realms with same
passwords, key version numbers, and encryption types. We have used this feature in Hadoop
cluster, after establishing cross realm trust between two secure Hadoop clusters with their
own realms, copying data between two secure clusters can work now. And this support also can
be used to build trust relationship with MIT Kerberos KDC and we have tested compatibility.

Here is the document about setting up cross realm:
https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md

Thanks,
Jiajia


Mime
View raw message