Multi Realm Question
Tom Parker
tparker at cbnco.com
Fri Sep 3 16:47:17 EDT 2010
On 09/03/2010 04:40 PM, Greg Hudson wrote:
> On Fri, 2010-09-03 at 15:36 -0400, Tom Parker wrote:
>> My question therefor is: Is there a way to run a single KDC with two
>> realms, One as master for XX.EXAMPLE.COM and one as slave for
>> EXAMPLE.COM? And if not, how would you solve this?
> It is possible for a single MIT krb5 KDC process to serve multiple
> realms, so this should in theory be possible.
We have tried running more than one realm on our test KDCs and things
have freaked out. I will keep testing and see if we can make it work
now that we have moved to LDAP backed KDCs.
> However, I don't think I fully understand your requirements. Why is it
> necessary for the EXAMPLE.COM slave to be the same KDC as the
> XX.EXAMPLE.COM master?
Our firewall rules are rather tight and only a limited number of servers
in a local site can see the master kdc for EXAMPLE.COM at our head
office as well as be seen by all the clients on the local network.
Most clients on the local network cannot see the head office at all and
don't need to (Password changes for head office users will be done at
the head office only)
I am trying to avoid the need for a 3rd authentication server at my
remote sites (XX.EXAMPLE.COM master and slave + EXAMPLE.COM slave)
Tom
More information about the Kerberos
mailing list