Multiple realms served by single kadmind
Tim Mooney
mooney at dogbert.cc.ndsu.nodak.edu
Tue May 28 17:44:15 EDT 2013
In regard to: Re: Multiple realms served by single kadmind, Tom Parker said...:
> Thanks for the information. How can I tell my clients to use a custom
> port for password change? The man pages I have don't mention this and
> they tell me erroneously that kadmind will server multiple realms (This
> I assume is a suse packaging problem, not a kerberos problem)
We've been doing what you're asking about for quite a few years -- one KDC
but about a dozen kadminds.
Your /etc/krb5.conf on your clients will look something like
REALM1.EXAMPLE.COM = {
kdc = kdc1.realm1.example.com:88
kdc = kdc2.realm1.example.com:88
admin_server = kdc1.realm1.example.com:911
default_domain = realm1.example.com
}
REALM2.EXAMPLE.COM = {
kdc = kdc1.realm2.example.com:88
kdc = kdc2.realm2.example.com:88
admin_server = kdc1.realm2.example.com:912
default_domain = realm2.example.com
}
with additional stanzas for each realm, with the port listed.
Then, the [realms] section of your kdc.conf will contain a line for
kadmind_port for each realm, e.g.
[realms]
REALM1.EXAMPLE.COM = {
# other standard settings
kadmind_port = 911
}
REALM2.EXAMPLE.COM = {
# other standard settings
kadmind_port = 912
}
We're also using separate kpropd processes for each realm on the
secondaries, with each kpropd on its own port. That's specified via
the '-P portnum' option when starting kpropd. It does mean that we
disable the standard kpropd startup script and have one-per-realm
(/etc/init.d/kprop_REALM1, /etc/init.d/kprop_REALM2, etc).
We're not using incremental propagation, so things might be different
there. Instead, we only do propagation when the dump file has changed
from the checksum from the previous dump file.
Tim
--
Tim Mooney mooney at dogbert.cc.nrealm2.NoDak.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
More information about the Kerberos
mailing list