Multiple realms served by single kadmind
Tom Parker
tparker at cbnco.com
Mon Jun 3 00:36:29 EDT 2013
Thanks to everyone for their help
I have it working nicely now with a kadmin process for each realm.
I hacked up the kadmind init script a little bit to loop over a list of
realms and call kadmind -r REALM for each entry. Everything else is
defined in kdc.conf and in SRV records.
For anyone doing future googling.
/etc/krb5.conf
<snipit>
[realms]
DM.EXAMPLE.COM = {
admin_server = auth1.dm.example.com:7490
auth_to_local = RULE:[1:$1@$0]
auth_to_local = RULE:[2:$1@$0]
default_domain = dm.example.com
}
</snipit>
/var/lib/kerberos/krb5kdc/kdc.conf
<snipit>
[realms]
DM.EXAMPLE.COM = {
kadmind_port = 7490
kpasswd_port = 4640
}
</snipit>
zone entries
<snipit>
_kerberos-adm._tcp IN SRV 0 0 7490 auth1.dm.example.com.
_kpasswd._udp IN SRV 0 0 4640 auth1.dm.example.com.
<snipit>
Tom
On 05/28/2013 05:44 PM, Tim Mooney wrote:
> In regard to: Re: Multiple realms served by single kadmind, Tom Parker said...:
>
>> Thanks for the information. How can I tell my clients to use a custom
>> port for password change? The man pages I have don't mention this and
>> they tell me erroneously that kadmind will server multiple realms (This
>> I assume is a suse packaging problem, not a kerberos problem)
> We've been doing what you're asking about for quite a few years -- one KDC
> but about a dozen kadminds.
>
> Your /etc/krb5.conf on your clients will look something like
>
>
> REALM1.EXAMPLE.COM = {
> kdc = kdc1.realm1.example.com:88
> kdc = kdc2.realm1.example.com:88
> admin_server = kdc1.realm1.example.com:911
> default_domain = realm1.example.com
> }
>
> REALM2.EXAMPLE.COM = {
> kdc = kdc1.realm2.example.com:88
> kdc = kdc2.realm2.example.com:88
> admin_server = kdc1.realm2.example.com:912
> default_domain = realm2.example.com
> }
>
> with additional stanzas for each realm, with the port listed.
>
> Then, the [realms] section of your kdc.conf will contain a line for
> kadmind_port for each realm, e.g.
>
> [realms]
> REALM1.EXAMPLE.COM = {
> # other standard settings
> kadmind_port = 911
> }
>
> REALM2.EXAMPLE.COM = {
> # other standard settings
> kadmind_port = 912
> }
>
>
> We're also using separate kpropd processes for each realm on the
> secondaries, with each kpropd on its own port. That's specified via
> the '-P portnum' option when starting kpropd. It does mean that we
> disable the standard kpropd startup script and have one-per-realm
> (/etc/init.d/kprop_REALM1, /etc/init.d/kprop_REALM2, etc).
>
> We're not using incremental propagation, so things might be different
> there. Instead, we only do propagation when the dump file has changed
> from the checksum from the previous dump file.
>
> Tim
More information about the Kerberos
mailing list