If you want to use cross realm authentication through an intermediate
realm, it must be explicitly allowed by either the KDCs or the server
receiving the request. This is done in krb5.conf in the
[capaths]
section.
When the ticket transits through a realm to another realm, the destination realm adds its peer to the "transited-realms" field in the ticket. The field is unordered, since there is no way to know if know if one of the transited-realms changed the order of the list.
The syntax for [capaths]
section:
[capaths] CLIENT-REALM = { SERVER-REALM = PERMITTED-CROSS-REALMS ... }
The realm STACKEN.KTH.SE
allows clients from SU.SE
and
DSV.SU.SE
to cross it. Since STACKEN.KTH.SE
only has
direct cross realm setup with KTH.SE
, and DSV.SU.SE
only
has direct cross realm setup with SU.SE
they need to use both
SU.SE
and KTH.SE
as transit realms.
[capaths] SU.SE = { STACKEN.KTH.SE = KTH.SE } DSV.SU.SE = { STACKEN.KTH.SE = SU.SE KTH.SE }
The order of the PERMITTED-CROSS-REALMS
is not important when
doing transit cross realm verification.
However, the order is important when the [capaths]
section is used
to figure out the intermediate realm to go to when doing multi-realm
transit. When figuring out the next realm, the first realm of the list
of PERMITTED-CROSS-REALMS
is chosen. This is done in both the
client kerberos library and the KDC.