Managing Multiple Realms
Configuring Direct Trust Relationships
Chapter 10 279
Configuring Direct Trust Relationships
If the Kerberos security servers manage all the realms in a multirealm
environment, you must add interrealm principals to the principal
databases for each realm.
Interrealm principals are special-case krbtgt/REALM1@REALM2 principal
accounts, where krbtgt/REALM1 is the ticket-granting service principal
for realm 1 and REALM2 is the foreign realm.
A direct trust relationship exists when the server that hosts Realm 1
directly trusts the server that hosts Realm 2.
The client system constructs the interrealm ticket request rather than
the servers. Interrealm authentication begins when a user requests a
service ticket for a service that is not in the default realm of the user.
The client software constructs the service ticket request, and sends it to
the Kerberos server that supports the default realm of the user. Because
the service is not in that realm, the Kerberos server cannot return a
service ticket. However, if it has a direct trust link to the realm of the
service, it can return an interrealm ticket for the realm of the service.
When the client receives the interrealm ticket, it sends the interrealm
ticket with the service ticket request to the Kerberos server that
supports the realm of the service.
When a foreign Kerberos server receives an interrealm ticket with a
service ticket request, and if the interrealm ticket was obtained from a
realm where a direct trust relationship exists, the foreign Kerberos
server returns the service ticket. For this process to work on the server,
the following conditions must be met:
• The user principal must be able to authenticate in the default realm
of the user.
• You must establish a trust relationship between the default realm of
the user and the realm of the service.
The Kerberos server returns a failure for any of the following reasons:
• The client authentication fails.
