Multi REALM krb config file.

Techie techchavez at gmail.com
Mon Mar 29 14:20:49 EDT 2010


On Mon, Mar 29, 2010 at 11:03 AM, Russ Allbery <rra at stanford.edu> wrote:

>
>> The krb5.conf man page seems to indicate that you can have multiple
>> Kerberos REALMS defined in a single krb5.conf file.
>
>> Will doing this allow authentication to multiple realms?  If so, will it
>> try and contact each defined realm until it sees a matching principal?
>
> It depends on what you mean by "it."  If you mean kinit, I don't believe
> it has support for this.  If you mean something else, it depends on the
> application.  For example, you can configure my pam-krb5 PAM module to do
> this.
Good point.. By it I mean this..
I have an LDAP setup with all users contained within the tree.
However these users are broken into 4 KRB REALMS.
I use pam_krb5 for authentication and it works for the default realm.
Do you have any links describing how to setup pam_krb5 for multi
realm? This is basically what I am chasing.
> I believe MIT Kerberos only lets you define a single default realm, which
> is the realm used for authentication if no realm is specified in the
> principal name.  (However, you can do things with server referrals.)
Can you please elaborate on what you mean by server referral? Do you
mean server referral as in LDAP server referrals or as in a referral
to another KDC for authentication? May be a dumb question..I know LDAP
server referrals are possible but don't know if KRB allows it.

Thanks again
>
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
>




More information about the Kerberos mailing list