From 1193f2ca5902b2fa28f41b6f3f9bd61ffa8c298a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Tue, 21 Oct 2003 06:21:03 +0000
Subject: [PATCH] describe Transit policy

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13029 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 doc/setup.texi | 50 ++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 48 insertions(+), 2 deletions(-)

diff --git a/doc/setup.texi b/doc/setup.texi
index 93347c08d..ba6bce00a 100644
--- a/doc/setup.texi
+++ b/doc/setup.texi
@@ -16,6 +16,7 @@
 * Incremental propagation::     
 * Salting::
 * Cross realm::
+* Transit policy::
 * Setting up DNS::
 @end menu
 
@@ -509,7 +510,7 @@ the cell appended to the password.
 
 @end itemize
 
-@node Cross realm, Setting up DNS , Salting, Setting up a realm
+@node Cross realm, Transit policy , Salting, Setting up a realm
 @section Cross realm
 @cindex Cross realm
 
@@ -574,7 +575,52 @@ May  3 14:10:54  May  3 23:55:54  host/hummel.it.su.se@@SU.SE
 @end cartouche
 @end example
 
-@node Setting up DNS, , Cross realm, Setting up a realm
+@node Transit policy, Setting up DNS , Cross realm, Setting up a realm
+@section Transit policy
+@cindex Transit policy
+
+If you want to use cross realm authentication over an intermediate
+realm it must be explicitly allowed by either the KDCs or the server
+receiving the request. This is done in @file{krb5.conf} in the
+@code{[capaths]} section.
+
+When the a ticket is transited a though a realm to another realm, the
+destination realm adds it peer to the ``transited-realms'' field in
+the ticket. The field is unorded, this is since there is no way to
+know if one of the transited-realms changed the order of the list.
+
+The syntax for @code{[capaths]} section:
+
+@example
+@cartouche
+[capaths]
+        CLIENT-REALM = @{ SERVER-REALM = PERMITTED-CROSS-REALMS ... @}
+@end cartouche
+@end example
+
+The realm @code{STACKEN.KTH.SE} allows clients from @code{SU.SE} and
+@code{DSV.SU.SE} to cross in. Since @code{STACKEN.KTH.SE} only have
+cross realm with @code{KTH.SE}, and @code{DSV.SU.SE} only have cross
+realm with @code{SU.SE} they need to use both @code{SU.SE} and
+@code{KTH.SE} as transit realms.
+
+@example
+@cartouche
+[capaths]
+	SU.SE = @{
+                    STACKEN.KTH.SE = KTH.SE
+	@}
+	DSV.SU.SE = @{
+                    STACKEN.KTH.SE = KTH.SE SU.SE
+	@}
+
+@end cartouche
+@end example
+
+@c To test the cross realm configuration, use:
+@c    kmumble transit-check client server transit-realms ...
+
+@node Setting up DNS, , Transit policy, Setting up a realm
 @section Setting up DNS
 @cindex Setting up DNS