Kerberos multi domain
Edward Murrell
edward at murrell.co.nz
Fri Jan 1 21:10:56 EST 2010
As far as I know, MIT kerberos can run multiple KDC's from the same
machine, but each realm needs to have it's own IP or set of ports.
On Fri, 2010-01-01 at 13:19 +0100, BOUCHER, Flavien wrote:
> Hi,
>
> I need to setup kerberos for six distinct domain, there is no trust relationship between each domain.
> When I setup one domain by one, it's working.
>
> After testing each domain one by one, I merge the keytab file, and change the krb5.conf file:
>
> [libdefaults]
> default_realm = MSDEMO
> default_keytab_name = FILE:C:\Kerberos\lcserver01.keytab
> default_tkt_enctypes = rc4-hmac des-cbc-md5
> default_tgs_enctypes = rc4-hmac des-cbc-md5
> forwardable = true
> renewable = true
> noaddresses = true
> clockskew = 300
> [realms]
> MSDEMO = {
> kdc = dc.msdemo.local:88
> default_domain = dc.msdemo.local
> }
>
> MSDEMO2 = {
> kdc = dc2.msdemo2.local:88
> default_domain = msdemo2.local
> }
> [domain_realm]
> .msdemo.local = MSDEMO
> .msdemo2.local = MSDEMO2
>
>
> When I merge the keytab of this two domains and change the krb5.conf, just the authentication for MSDEMO is working.
> When I change the krb5.conf, and enter default_realm = MSDEMO2, the authentication is working for MSDEMO2.
>
> It's possible to make the authentication works for the both domain in the same time ?
>
> Regards.
>
> Flavien.
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list