One domain and 3 realms - Different situation than previous thread

fsoliv fsoliv at gmail.com
Mon Jun 13 10:33:18 EDT 2005


Hello,

I am studying a kerberos implementation for my company.
I am planning to configure three realms.
The realms are A.BASE.COM, B.BASE.COM and BASE.COM (hierarchical).
I hvae only *one* DNS domain base.com and I won't be changing that.
My question is, will the fact of having one dns domain affect  the
kerberos service in any way? I won't be using the dns_lookup_realm 
and dns_lookup_kdc.

I Know that in each client's /etc/krb5.conf file I can configure a
[domain_realm] section.

I have read this thread
http://mailman.mit.edu/pipermail/kerberos/2005-June/007876.html where
it is stated that  this configuration will be an administration
nightmare. My situation is different from the situation in this thread
in the sense that althought there are three realms only machines from
location A will be in realm A.BASE.COM, machines in location B will be
in realm B.BASE.COM and BASE.COM is only for hierarchical trust and
some services.

I will have cross realm authentication (roaming authentication) so my
clients' /etc/krb5.conf will have the following entry:

[realms]
A.BASE.COM={
kdc = server1.base.com
admin_server server1.base.com
default_domain = base.com
}

B.BASE.COM={
kdc = serb.base.com
admin_server serb.base.com
default_domain = base.com
}

[domain_realm]
.base.com=A.BASE.COM
.base.com=B.BASE.COM

Is this possible? Do I need to create subdomains?

Best regards,

F.



More information about the Kerberos mailing list