multiple realm KDC support (was Re: preauth plugin configuration issues)

Tim Mooney mooney at dogbert.cc.ndsu.NoDak.edu
Tue Mar 6 15:27:01 EST 2007 

In regard to: multiple realm KDC support (was Re: preauth plugin...:

> On Mar 3, 2007, at 19:50, Tim Mooney wrote:
>> In regard to: Re: preauth plugin configuration issues, Sam Hartman
>> said (at...:
>>> We used to support more than one realm per KDC the way Kevin is
>>> talking about.  I personally don't think it works, and if that's
>>> true,
>>> I agree Kevin should ignore it.  However Ken thinks it does still
>>> work.  We have not verified yet.
>>
>> It seems to be working for us.  We're running 11 realms with one KDC
>> process using Red Hat 4's 1.3.4-33 packages.  We previously ran the
>> exact same config with their 1.2.x packages under RHEL 3.
>
> As Sam noted, I believe it works, or at least doesn't take much work
> to make the KDC work.  (Though as Nico notes, that's not the case for
> kadmind.)  I know I've heard of someone doing it recently,
> unfortunately, I just can't remember who it was, or what version of
> the software. :-(  (Could it have been you, Tim?  Has there been
> other email about this in recent months?)

It might have been me.  I recall someone else asking about whether it
can be done several months back, and I likely responded.

>> We weren't aware that MIT had deprecated that type of configuration.
>
> It's not so much deprecated as untested, I think.  At least, I don't
> recall any decision to specifically make it deprecated, we just
> aren't putting in any effort.

That's kind of what I expected, and I guess it's better news that having
it actively deprecated.

>  In fact, if someone wanted to test it
> out in 1.6 and submit some patches to make the test suite exercise
> it, I think we could pretty easily fix that.  (Barring, of course,
> some actual decision to deprecate it.)

As much as I would like to contribute something back, especially when
we're one of a small group of users of that feature, I can't make any
commitment to doing something like that, at this point.  I will keep it
on the pet projects list in case I find some time down the road.  I'll
also suggest it to my manager, to see if he'll prioritize it for someone
in my workgroup.

Tim
-- 
Tim Mooney                              mooney at dogbert.cc.ndsu.NoDak.edu
Information Technology Services         (701) 231-1076 (Voice)
Room 242-J6, IACC Building              (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

More information about the krbdev mailing list