directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Kerby Update
Date Fri, 03 Nov 2017 11:03:41 GMT
Hi Jiajia,

I've been trying to get this new feature working, but unsuccessfully so far
- I get an error:

2017-11-03 10:58:41  INFO{DefaultInternalKrbClient.java:82}-Send to kdc
success.
2017-11-03 10:58:41  INFO{KrbHandler.java:120}-KDC server response with
message: Unknown error
2017-11-03 10:58:41  INFO{KrbHandler.java:142}-Unknown error

Could you clarify a few points for me please...

a) What information is required in the krb5.conf of the tool-dist?
b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM
realms) for the "Validate" section of the docs (
https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)?
It's a little unclear as to how exactly it should be used.

Colm.

On Mon, Oct 23, 2017 at 2:22 AM, Li, Jiajia <jiajia.li@intel.com> wrote:

> Hi all,
>
> Recently we have implemented the cross-realm authentication support, KDC
> in one realm can authenticate users in a different realm, so it allows
> client from another realm to access the cluster. Cross-realm authentication
> is accomplished by sharing a secret key between the two realms. In both
> backends should have the krbtgt service principals for realms with same
> passwords, key version numbers, and encryption types. We have used this
> feature in Hadoop cluster, after establishing cross realm trust between two
> secure Hadoop clusters with their own realms, copying data between two
> secure clusters can work now. And this support also can be used to build
> trust relationship with MIT Kerberos KDC and we have tested compatibility.
>
> Here is the document about setting up cross realm:
> https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md
>
> Thanks,
> Jiajia
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message