Problems with Multiple Realms on One KDC

Matt Clausen mclausen at csit.fsu.edu
Tue Jun 8 11:22:06 EDT 2004


I'm having a bit of a mental block with trying to establish multiple 
realms on a single KDC. I have everything setup in my kdc.conf and 
krb5.conf files but it's like the kdb5_util isnt reading the kdc.conf file.

Here's an excerpt from my kdc.conf file:

-------------------------- /etc/krb5/kdc.conf --------------------------

[kdcdefaults]
         kdc_ports = 88

[realms]
    <realm1> = {
       profile = /etc/krb5/krb5.conf
       database_name = /var/krb5kdc/principal
       admin_database_name = /var/krb5kdc/principal.kadm5
       admin_database_lockfile = /var/krb5kdc/principal.kadm5.lock
       admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
       acl_file = /var/krb5kdc/kadm5.acl
       dict_file = /var/krb5kdc/kadm5.dict
       key_stash_file = /var/krb5kdc/.k5.<realm1>
       kadmin_port = 748
       max_life = 10h 0m 0s
       max_renewable_life = 7d 0h 0m 0s
       master_key_type = des3-hmac-sha1
       supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
    }
    <realm2> = {
       profile = /etc/krb5/krb5.conf
       database_name = /var/krb5kdc/<realm2>/principal
       admin_database_name = /var/krb5kdc/<realm2>/principal.kadm5
     admin_database_lockfile = /var/krb5kdc/<realm2>/principal.kadm5.lock
       admin_keytab = FILE:/var/krb5kdc/<realm2>/kadm5.keytab
       acl_file = /var/krb5kdc/<realm2>/kadm5.acl
       dict_file = /var/krb5kdc/kadm5.dict
       key_stash_file = /var/krb5kdc/<realm2>/.k5.<realm2>
       kadmin_port = 749
       max_life = 10h 0m 0s
       max_renewable_life = 7d 0h 0m 0s
    }

-------------------------- /etc/krb5/kdc.conf --------------------------

Here's an excerpt from my krb5.conf file:

------------------------- /etc/krb5/krb5.conf -------------------------

[libdefaults]
         ticket_lifetime = 600
         default_realm = <realm1>
         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
         permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
         kdc_timesync = 1
         ccache_type = 4
         forwardable = true
         proxiable = true

[realms]
         <realm1> = {
                 kdc = <kdc1>:88
                 kdc = <kdc2>:88
                 admin_server = <kdc1>:748
                 default_domain = csit.fsu.edu
                 }
         <realm2> = {
                 kdc = <kdc1>:88
                 kdc = <kdc2>:88
                 admin_server = <kdc1>:749
                 default_domain = csit.fsu.edu
                 }
[domain_realm]
         .csit.fsu.edu = <realm1>
         csit.fsu.edu = <realm1>

[kdc]
         profile = /etc/krb5/kdc.conf

[logging]
         kdc = FILE:/var/log/kerberos/krb5kdc.log
         admin_server = FILE:/var/log/kerberos/kadmin.log
         default = FILE:/var/log/kerberos/krb5lib.log

[login]
         krb4_convert = false
         krb4_get_tickets = false

[appdefaults]
         pam = {
                 debug = false
                 ticket_lifetime = 36000
                 renew_lifetime = 36000
                 forwardable = true
                 krb4_convert = false

         kinit = {
                 forwardable = true
                 renewable = true
         }

------------------------- /etc/krb5/krb5.conf -------------------------

I've created the database with kdb5_util -r <realm2> -d 
/var/krb5kdc/<realm2>/principal -sf /var/krb5kdc/<realm2>/.k5.<realm2> 
create -s

Yet when I try to launch krb5kdc -r <realm1> -r <realm2> I get this:

krb5kdc: Cannot find/read stored master key - while fetching master key 
K/M for realm <realm2>

Realm #1 works fine by itself, but when I try to bring the second one 
in, that's when all the problems occur.



More information about the Kerberos mailing list