Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B4DBF200D36 for ; Mon, 23 Oct 2017 04:39:56 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B34EE160BF0; Mon, 23 Oct 2017 02:39:56 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 04E84160BD7 for ; Mon, 23 Oct 2017 04:39:55 +0200 (CEST) Received: (qmail 6384 invoked by uid 500); 23 Oct 2017 02:39:55 -0000 Mailing-List: contact kerby-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: kerby@directory.apache.org Delivered-To: mailing list kerby@directory.apache.org Received: (qmail 6365 invoked by uid 99); 23 Oct 2017 02:39:54 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Oct 2017 02:39:54 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id EFB591A0D19; Mon, 23 Oct 2017 02:39:53 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -2.322 X-Spam-Level: X-Spam-Status: No, score=-2.322 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id Hjy07MTFg62a; Mon, 23 Oct 2017 02:39:49 +0000 (UTC) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 067DE60DF3; Mon, 23 Oct 2017 02:39:48 +0000 (UTC) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Oct 2017 19:39:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.43,420,1503385200"; d="scan'208";a="1028084213" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by orsmga003.jf.intel.com with ESMTP; 22 Oct 2017 19:39:42 -0700 Received: from fmsmsx116.amr.corp.intel.com (10.18.116.20) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.319.2; Sun, 22 Oct 2017 19:39:41 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx116.amr.corp.intel.com (10.18.116.20) with Microsoft SMTP Server (TLS) id 14.3.319.2; Sun, 22 Oct 2017 19:39:41 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.213]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.159]) with mapi id 14.03.0319.002; Mon, 23 Oct 2017 10:39:39 +0800 From: "Zheng, Kai" To: "kerby@directory.apache.org" , "dev@directory.apache.org" Subject: RE: Kerby Update Thread-Topic: Kerby Update Thread-Index: AdNLnUttMAcVZJA2R8qxKm53saU4QgACpVtwAAALmpA= Date: Mon, 23 Oct 2017 02:39:39 +0000 Message-ID: <8D5F7E3237B3ED47B84CF187BB17B66662B95E0B@SHSMSX103.ccr.corp.intel.com> References: <9037BCED616A964EB486B12FCA9DCFCF3BD6A28B@shsmsx102.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66662B95DBE@SHSMSX103.ccr.corp.intel.com> In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B66662B95DBE@SHSMSX103.ccr.corp.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiM2U5YTY2NTUtM2U2Zi00Yzg1LTllZDItMzBhOTZhMDAxNGIzIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJ3SmladGhNN2R4eWRLZDVWMWZqZjhnTVczWFNTM3BDOHJKckRGWUZOSlNMcDdvbmwxUUtOVkFlTGU0V2l3QjhnIn0= x-ctpclassification: CTP_IC dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 archived-at: Mon, 23 Oct 2017 02:39:56 -0000 + Directory. Regards, Kai -----Original Message----- From: Zheng, Kai [mailto:kai.zheng@intel.com]=20 Sent: Monday, October 23, 2017 10:38 AM To: kerby@directory.apache.org Subject: RE: Kerby Update Cool!! Thanks Jiajia & Frank for working on this this, cross realm trust support! = I thought this makes Kerby a much further step, towards a decent and standa= lone Kerberos implementation. -----Original Message----- From: Li, Jiajia [mailto:jiajia.li@intel.com]=20 Sent: Monday, October 23, 2017 9:22 AM To: kerby@directory.apache.org Subject: Kerby Update Hi all, Recently we have implemented the cross-realm authentication support, KDC in= one realm can authenticate users in a different realm, so it allows client= from another realm to access the cluster. Cross-realm authentication is ac= complished by sharing a secret key between the two realms. In both backends= should have the krbtgt service principals for realms with same passwords, = key version numbers, and encryption types. We have used this feature in Had= oop cluster, after establishing cross realm trust between two secure Hadoop= clusters with their own realms, copying data between two secure clusters c= an work now. And this support also can be used to build trust relationship = with MIT Kerberos KDC and we have tested compatibility. Here is the document about setting up cross realm: https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md Thanks, Jiajia