directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Li, Jiajia" <jiajia...@intel.com>
Subject RE: Kerby Update
Date Mon, 06 Nov 2017 01:46:17 GMT
Hi Colm,

>>>a) What information is required in the krb5.conf of the tool-dist?
The capaths, realms, domain_realm sections are required, the same as the MIT Kerberos.


>>>b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM
>>>realms) for the "Validate" section of the docs ( https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)?

To validate the user("test") within realm A.EXAMPLE.COM is trusted to access the resource("hdfs")
in another realm B.EXAMPLE.COM, doing the following steps, the conf dir is "conf":
1. sh bin/kinit.sh -conf conf test@A.EXAMPLE.COM
We will  get the credential cache( "/tmp/krb5cc_0")
2. sh bin/kinit.sh -conf conf -c /tmp/krb5cc_0 -S hdfs@B.EXAMPLE.COM
Then we will get the service tgt, MIT Kerberos using  "kvno" to get service tgt in this step.


Thanks,
Jiajia

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Friday, November 3, 2017 7:04 PM
To: kerby@directory.apache.org
Subject: Re: Kerby Update

Hi Jiajia,

I've been trying to get this new feature working, but unsuccessfully so far
- I get an error:

2017-11-03 10:58:41  INFO{DefaultInternalKrbClient.java:82}-Send to kdc success.
2017-11-03 10:58:41  INFO{KrbHandler.java:120}-KDC server response with
message: Unknown error
2017-11-03 10:58:41  INFO{KrbHandler.java:142}-Unknown error

Could you clarify a few points for me please...

a) What information is required in the krb5.conf of the tool-dist?
b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM
realms) for the "Validate" section of the docs ( https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)?
It's a little unclear as to how exactly it should be used.

Colm.

On Mon, Oct 23, 2017 at 2:22 AM, Li, Jiajia <jiajia.li@intel.com> wrote:

> Hi all,
>
> Recently we have implemented the cross-realm authentication support, 
> KDC in one realm can authenticate users in a different realm, so it 
> allows client from another realm to access the cluster. Cross-realm 
> authentication is accomplished by sharing a secret key between the two 
> realms. In both backends should have the krbtgt service principals for 
> realms with same passwords, key version numbers, and encryption types. 
> We have used this feature in Hadoop cluster, after establishing cross 
> realm trust between two secure Hadoop clusters with their own realms, 
> copying data between two secure clusters can work now. And this 
> support also can be used to build trust relationship with MIT Kerberos KDC and we have
tested compatibility.
>
> Here is the document about setting up cross realm:
> https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.
> md
>
> Thanks,
> Jiajia
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message