One domain and 3 realms - Different situation than previous thread

Ken Raeburn raeburn at MIT.EDU
Mon Jun 13 12:00:12 EDT 2005


On Jun 13, 2005, at 10:33, fsoliv wrote:
> I am studying a kerberos implementation for my company.
> I am planning to configure three realms.
> The realms are A.BASE.COM, B.BASE.COM and BASE.COM (hierarchical).
> I hvae only *one* DNS domain base.com and I won't be changing that.
> My question is, will the fact of having one dns domain affect  the
> kerberos service in any way? I won't be using the dns_lookup_realm
> and dns_lookup_kdc.


> I have read this thread
> http://mailman.mit.edu/pipermail/kerberos/2005-June/007876.html where
> it is stated that  this configuration will be an administration
> nightmare.

I think "a bit of a headache" was the phrase used, not "nightmare". :-)

If you can commit to having some centrally maintained files that are 
distributed to the workstations or servers (perhaps via cron jobs, 
package updates, whatever, maybe symlinked into a shared, trusted file 
system), you only need to update the one file.  In fact, if you've got 
the location information stored somewhere (perhaps as which subnet the 
machine's address is in, in your master zone file), you could 
programmatically recreate the domain_realm section as needed and 
distribute it.

>  My situation is different from the situation in this thread
> in the sense that althought there are three realms only machines from
> location A will be in realm A.BASE.COM, machines in location B will be
> in realm B.BASE.COM and BASE.COM is only for hierarchical trust and
> some services.

That mostly removes BASE.COM from consideration as far as determining 
the realm of any given host.  So, effectively it's one domain with two 
realms that we care about, for purposes of this discussion.  The 
location is irrelevant, unless you're doing some per-location 
centralized system management.

> [domain_realm]
> .base.com=A.BASE.COM
> .base.com=B.BASE.COM

If you're thinking that the library would try each realm listed this 
way, you're going to be disappointed.  While the Kerberos specs allow 
for services running on a single machine to have identities in multiple 
realms, in our implementation, unless the realm is specified as part of 
the principal name, the library will try to determine *one* realm for a 
machine, and will use that; if the principal isn't found, you get an 
error.

We also haven't yet implemented the KDC-based referral support that's 
been proposed.

> Is this possible? Do I need to create subdomains?

What, like you said you wouldn't do, at the start of your message? :-)
Only if you can't distribute updates to the domain_realm section as 
needed.

Ken



More information about the Kerberos mailing list