Kerberos cross-realm support in Apache Kerby 1.1.0

A recent blog post covered how to install the Apache Kerby KDC. In this post we will build on that tutorial to show how to get a major new feature of Apache Kerby 1.1.0 to work - namely kerberos cross-realm support. Cross-realm support means that the KDCs in realm "A" and realm "B" are configured in such a way that a user who is authenticated in realm "A" can obtain a service ticket for a service in realm "B" without having to explicitly authenticate to the KDC in realm "B".

1) Configure the KDC for the "EXAMPLE.COM" realm

First we will configure the Apache Kerby KDC for the "EXAMPLE.COM" realm. Follow the previous tutorial to install and configure the KDC for this (default) realm. We need to follow some additional steps to get cross-realm support working with a second KDC in realm "EXAMPLE2.COM". Edit 'conf/krb5.conf' and replace the "realms" section with the following configuration:

	[realms]
	EXAMPLE.COM = {
	kdc = localhost:12345
	}
	EXAMPLE2.COM = {
	kdc = localhost:54321
	}
	[domain_realm]
	.EXAMPLE.COM = example.com
	EXAMPLE.COM = example.com
	.EXAMPLE2.COM = example2.com
	EXAMPLE2.COM = example2.com
	[capaths]
	EXAMPLE.COM = {
	EXAMPLE2.COM = .
	}
	EXAMPLE2.COM = {
	EXAMPLE.COM = .
	}

view raw krb5.conf hosted with ❤ by GitHub

Next we need to add a special principal to the KDC to enable cross-realm support via (after restarting the KDC):

• sh bin/kadmin.sh conf/ -k keytabs/admin.keytab
• addprinc -pw security krbtgt/EXAMPLE2.COM@EXAMPLE.COM

2) Configure the KDC for the "EXAMPLE2.COM" realm

Now we will configure a second KDC for the "EXAMPLE2.COM" realm. Download the Apache Kerby source code as before. Unzip the source and build the distribution via:

• mvn clean install -DskipTests
• cd kerby-dist
• mvn package -Pdist

Copy "kdc-dist" to a location where you wish to install the second KDC. In this directory, create a directory called "keytabs" and "runtime". Edit 'conf/backend.conf' and change the value for 'backend.json.dir' to avoid conflict with the first KDC instance. Then create some keytabs via:

• sh bin/kdcinit.sh conf keytabs

For testing purposes, we will change the port of the KDC from the default "88" to "54321" to avoid having to run the KDC with administrator privileges. Edit "conf/krb5.conf" and "conf/kdc.conf" and change "88" to "54321". In addition, change the realm from "EXAMPLE.COM" to "EXAMPLE2.COM" in both of these files. As above, edit 'conf/krb5.conf' and replace the "realms" section with the following configuration:

	[realms]
	EXAMPLE.COM = {
	kdc = localhost:12345
	}
	EXAMPLE2.COM = {
	kdc = localhost:54321
	}
	[domain_realm]
	.EXAMPLE.COM = example.com
	EXAMPLE.COM = example.com
	.EXAMPLE2.COM = example2.com
	EXAMPLE2.COM = example2.com
	[capaths]
	EXAMPLE.COM = {
	EXAMPLE2.COM = .
	}
	EXAMPLE2.COM = {
	EXAMPLE.COM = .
	}

view raw krb5.conf hosted with ❤ by GitHub

Next start the KDC via:

• sh bin/start-kdc.sh conf runtime

We need to add a special principal to the KDC to enable cross-realm support, as in the KDC for the "EXAMPLE.COM" realm. Note that it must be the same principal name and password as for the first realm. We will also add a principal for a service in this realm:

• sh bin/kadmin.sh conf/ -k keytabs/admin.keytab
• addprinc -pw security krbtgt/EXAMPLE2.COM@EXAMPLE.COM
• addprinc -pw password service@EXAMPLE2.COM

3) Obtaining a service ticket for service@EXAMPLE2.COM as alice@EXAMPLE.COM

Now we can obtain a service ticket for the service we have configured in the "EXAMPLE2.COM" realm as a user who is authenticated to the "EXAMPLE.COM" realm. Configure the "tool-dist" distribution as per the previous tutorial, updating 'conf/krb5.conf' with the same "realms", "domain_realm" and "capaths" information as shown above. Now we can authenticate as "alice" and obtain a service ticket as follows:

• sh bin/kinit.sh -conf conf alice@EXAMPLE.COM
• sh bin/kinit.sh -conf conf -c /tmp/krb5cc_1000 -S service@EXAMPLE2.COM

If you run "klist" then you should see that a ticket for "service@EXAMPLE2.COM" was obtained successfully.