Multiple realms served by single kadmind

Tom Parker tparker at cbnco.com
Mon Jun 3 00:36:29 EDT 2013 

Thanks to everyone for their help

I have it working nicely now with a kadmin process for each realm. 

I hacked up the kadmind init script a little bit to loop over a list of
realms and call kadmind -r REALM for each entry.  Everything else is
defined in kdc.conf and in SRV records.

For anyone doing future googling.

/etc/krb5.conf
<snipit>
[realms]
    DM.EXAMPLE.COM = {
        admin_server = auth1.dm.example.com:7490

        auth_to_local = RULE:[1:$1@$0]
        auth_to_local = RULE:[2:$1@$0]

        default_domain = dm.example.com
    }
</snipit>

/var/lib/kerberos/krb5kdc/kdc.conf
<snipit>
[realms]
    DM.EXAMPLE.COM = {
        kadmind_port = 7490
        kpasswd_port = 4640
    }
</snipit>

zone entries
<snipit>
_kerberos-adm._tcp      IN SRV  0 0 7490 auth1.dm.example.com.
_kpasswd._udp           IN SRV  0 0 4640 auth1.dm.example.com.
<snipit>

Tom


On 05/28/2013 05:44 PM, Tim Mooney wrote:
> In regard to: Re: Multiple realms served by single kadmind, Tom Parker said...:
>
>> Thanks for the information.  How can I tell my clients to use a custom
>> port for password change?  The man pages I have don't mention this and
>> they tell me erroneously that kadmind will server multiple realms (This
>> I assume is a suse packaging problem, not a kerberos problem)
> We've been doing what you're asking about for quite a few years -- one KDC
> but about a dozen kadminds.
>
> Your /etc/krb5.conf on your clients will look something like
>
>
>      REALM1.EXAMPLE.COM = {
>          kdc = kdc1.realm1.example.com:88
>          kdc = kdc2.realm1.example.com:88
>          admin_server = kdc1.realm1.example.com:911
>          default_domain = realm1.example.com
>      }
>
>      REALM2.EXAMPLE.COM = {
>          kdc = kdc1.realm2.example.com:88
>          kdc = kdc2.realm2.example.com:88
>          admin_server = kdc1.realm2.example.com:912
>          default_domain = realm2.example.com
>      }
>
> with additional stanzas for each realm, with the port listed.
>
> Then, the [realms] section of your kdc.conf will contain a line for
> kadmind_port for each realm, e.g.
>
> [realms]
>      REALM1.EXAMPLE.COM = {
>  		# other standard settings
>  		kadmind_port = 911
>  	}
>
>      REALM2.EXAMPLE.COM = {
>  		# other standard settings
>  		kadmind_port = 912
>  	}
>
>
> We're also using separate kpropd processes for each realm on the
> secondaries, with each kpropd on its own port.  That's specified via
> the '-P portnum' option when starting kpropd.  It does mean that we
> disable the standard kpropd startup script and have one-per-realm
> (/etc/init.d/kprop_REALM1, /etc/init.d/kprop_REALM2, etc).
>
> We're not using incremental propagation, so things might be different
> there.  Instead, we only do propagation when the dump file has changed
> from the checksum from the previous dump file.
>
> Tim

More information about the Kerberos mailing list