Next: , Previous: Cross realm, Up: Setting up a realm


4.14 Transit policy

If you want to use cross realm authentication through an intermediate realm, it must be explicitly allowed by either the KDCs or the server receiving the request. This is done in krb5.conf in the [capaths] section.

When the ticket transits through a realm to another realm, the destination realm adds its peer to the "transited-realms" field in the ticket. The field is unordered, since there is no way to know if know if one of the transited-realms changed the order of the list.

The syntax for [capaths] section:

     [capaths]
             CLIENT-REALM = {
                     SERVER-REALM = PERMITTED-CROSS-REALMS ...
             }

The realm STACKEN.KTH.SE allows clients from SU.SE and DSV.SU.SE to cross it. Since STACKEN.KTH.SE only has direct cross realm setup with KTH.SE, and DSV.SU.SE only has direct cross realm setup with SU.SE they need to use both SU.SE and KTH.SE as transit realms.

     [capaths]
     	SU.SE = {
                         STACKEN.KTH.SE = KTH.SE
     	}
     	DSV.SU.SE = {
                         STACKEN.KTH.SE = SU.SE KTH.SE
     	}
     

The order of the PERMITTED-CROSS-REALMS is not important when doing transit cross realm verification.

However, the order is important when the [capaths] section is used to figure out the intermediate realm to go to when doing multi-realm transit. When figuring out the next realm, the first realm of the list of PERMITTED-CROSS-REALMS is chosen. This is done in both the client kerberos library and the KDC.