Does kadmind work on a multi-realm KDC?
Dr. Greg Wettstein
greg at wind.enjellic.com
Fri Sep 5 09:52:37 EDT 2003
On Sep 5, 7:57am, "Nikola Milutinovic" wrote:
} Subject: Re: Does kadmind work on a multi-realm KDC?
Good morning Nikola and to the list.
> > We've had experience supporting multi realms on a single server. Here
> > is what you want to do:
> >
> > 1.) Start one instance of kadmind for each realm that you want to
> > administrate. Use the -r switch on the commandline to specify the
> > realm that will be managed, ie:
> >
> > kadmind -r SOME.REALM
> >
> > 2.) Use the following two directives in the realm stanza in the
> > kdc.conf file to specify the ports that the administrative deamon
> > will listen on for RPC administrative traffic and password
> > changes:
> >
> > kadmind_port = NNN
> > kpasswd_port = NNN
> Is there a plan and possibility in kadmin protocol to support
> multiple realms on one port (one kadmind)? I have a situation where I
> would have 14 relams. Fortunately, I'll have 10 Alpha Servers, but
> still, I'd need something elegant and scalable. The current solution
> both in Heimdal and MIT is lacking on that.
I've been involved with situations where there have been six realms
supported on a single machine. The solution scaled within that
context. I will concede that running separate administrative servers
each with their own sets of ports doesn't seem optimum.
As to changing this environment I would have to defer to the gentlemen
from MIT on that one. I don't have enough experience, other than
programming through the API, with the RPC based administrative
protocol to comment on the feasibility of multi-domain administrative
support.
It seems that none of the administrative schemes are remotely
standardized. Witness the incompatabilities between MIT, HEIMDAL,
SEAM and Microsoft in this arena. It would certainly seem that the
community is not locked into a particular solution yet.
And there is always the source code.... :-)
> > You will want to choose port numbers in the restricted, ie. <
> > 1024, range.
>
> That range is a bit crammed...
Yes, certainly it is. In retrospect there probably wasn't a good
reason to conclude with that statement.
One could wave one's hands around and make noise about security issues
surrounding attaching to a non-restricted port on a machine to carry
out security administration I suppose. It undoubtedly is one of those
decisions which will be dictated by local needs and security tolerances.
> Nix.
Good luck with your work.
}-- End of excerpt from "Nikola Milutinovic"
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-1686
FAX: 701-281-3949 EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"Given a choice between a complex, difficult-to-understand,
disconcerting explanation and a simplistic, comforting one, many
prefer simplistic comfort if it's remotely plausible, especially if it
involves blaming someone else for their problems."
-- Bob Lewis
_Infoworld_
More information about the Kerberos
mailing list