Project Review: kinit -C
Roland C. Dowdeswell
elric at imrryr.org
Fri Sep 17 05:08:03 EDT 2010
On Thu, Sep 16, 2010 at 05:04:13PM -0500, Nicolas Williams wrote:
>
> On Thu, Sep 16, 2010 at 04:49:16PM -0500, Tim Mooney wrote:
> > In regard to: Re: Project Review: kinit -C, Nicolas Williams said (at...:
> >
> > > IMO there should be a single KDB per-KDC host because: a) one should use
> > > VMs to run distinct realms' KDCs on a single system,
> >
> > I'll bite. Why?
>
> First, remember that I'm saying I don't mind if Sam doesn't "change to
> the KDB keytab to take the realm of the KDB as its argument". That is,
> I don't mind that, but I don't think it should be required.
>
> Now, the answer to your question... If you're going to run multiple
> KDCs on one system w/o virtualization, then you'll need to use non-
> default ports. And while that's workable now that DNS SRV RRs can be
> used for discovery, using non-default port numbers is still a PITA.
Using non-default port numbers is not supported by SSPI on MSFT.
We found that Windows just ignored the port bit and tries 88, IIRC.
To run differently configured KDCs on the same host, you need to
use different IP addresses in a heterogenous environment.
This wasn't supported in the version of krb5kdc we had, so I put
in a mode to start it out of xinetd which can bind to individual
addresses. It also rather trivially allowed us to use more of our
CPUs on the problem.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
More information about the krbdev
mailing list