One domain and 3 realms - Different situation than previous thread
fsoliv
fsoliv at gmail.com
Mon Jun 13 10:33:18 EDT 2005
Hello,
I am studying a kerberos implementation for my company.
I am planning to configure three realms.
The realms are A.BASE.COM, B.BASE.COM and BASE.COM (hierarchical).
I hvae only *one* DNS domain base.com and I won't be changing that.
My question is, will the fact of having one dns domain affect the
kerberos service in any way? I won't be using the dns_lookup_realm
and dns_lookup_kdc.
I Know that in each client's /etc/krb5.conf file I can configure a
[domain_realm] section.
I have read this thread
http://mailman.mit.edu/pipermail/kerberos/2005-June/007876.html where
it is stated that this configuration will be an administration
nightmare. My situation is different from the situation in this thread
in the sense that althought there are three realms only machines from
location A will be in realm A.BASE.COM, machines in location B will be
in realm B.BASE.COM and BASE.COM is only for hierarchical trust and
some services.
I will have cross realm authentication (roaming authentication) so my
clients' /etc/krb5.conf will have the following entry:
[realms]
A.BASE.COM={
kdc = server1.base.com
admin_server server1.base.com
default_domain = base.com
}
B.BASE.COM={
kdc = serb.base.com
admin_server serb.base.com
default_domain = base.com
}
[domain_realm]
.base.com=A.BASE.COM
.base.com=B.BASE.COM
Is this possible? Do I need to create subdomains?
Best regards,
F.
More information about the Kerberos
mailing list