One domain and 3 realms - Different situation than previous thread
Ken Raeburn
raeburn at MIT.EDU
Mon Jun 13 12:00:12 EDT 2005
On Jun 13, 2005, at 10:33, fsoliv wrote:
> I am studying a kerberos implementation for my company.
> I am planning to configure three realms.
> The realms are A.BASE.COM, B.BASE.COM and BASE.COM (hierarchical).
> I hvae only *one* DNS domain base.com and I won't be changing that.
> My question is, will the fact of having one dns domain affect the
> kerberos service in any way? I won't be using the dns_lookup_realm
> and dns_lookup_kdc.
> I have read this thread
> http://mailman.mit.edu/pipermail/kerberos/2005-June/007876.html where
> it is stated that this configuration will be an administration
> nightmare.
I think "a bit of a headache" was the phrase used, not "nightmare". :-)
If you can commit to having some centrally maintained files that are
distributed to the workstations or servers (perhaps via cron jobs,
package updates, whatever, maybe symlinked into a shared, trusted file
system), you only need to update the one file. In fact, if you've got
the location information stored somewhere (perhaps as which subnet the
machine's address is in, in your master zone file), you could
programmatically recreate the domain_realm section as needed and
distribute it.
> My situation is different from the situation in this thread
> in the sense that althought there are three realms only machines from
> location A will be in realm A.BASE.COM, machines in location B will be
> in realm B.BASE.COM and BASE.COM is only for hierarchical trust and
> some services.
That mostly removes BASE.COM from consideration as far as determining
the realm of any given host. So, effectively it's one domain with two
realms that we care about, for purposes of this discussion. The
location is irrelevant, unless you're doing some per-location
centralized system management.
> [domain_realm]
> .base.com=A.BASE.COM
> .base.com=B.BASE.COM
If you're thinking that the library would try each realm listed this
way, you're going to be disappointed. While the Kerberos specs allow
for services running on a single machine to have identities in multiple
realms, in our implementation, unless the realm is specified as part of
the principal name, the library will try to determine *one* realm for a
machine, and will use that; if the principal isn't found, you get an
error.
We also haven't yet implemented the KDC-based referral support that's
been proposed.
> Is this possible? Do I need to create subdomains?
What, like you said you wouldn't do, at the start of your message? :-)
Only if you can't distribute updates to the domain_realm section as
needed.
Ken
More information about the Kerberos
mailing list