Multiple realms served by single kadmind

Tim Mooney mooney at dogbert.cc.ndsu.nodak.edu
Tue May 28 17:44:15 EDT 2013


In regard to: Re: Multiple realms served by single kadmind, Tom Parker said...:

> Thanks for the information.  How can I tell my clients to use a custom
> port for password change?  The man pages I have don't mention this and
> they tell me erroneously that kadmind will server multiple realms (This
> I assume is a suse packaging problem, not a kerberos problem)

We've been doing what you're asking about for quite a few years -- one KDC
but about a dozen kadminds.

Your /etc/krb5.conf on your clients will look something like


     REALM1.EXAMPLE.COM = {
         kdc = kdc1.realm1.example.com:88
         kdc = kdc2.realm1.example.com:88
         admin_server = kdc1.realm1.example.com:911
         default_domain = realm1.example.com
     }

     REALM2.EXAMPLE.COM = {
         kdc = kdc1.realm2.example.com:88
         kdc = kdc2.realm2.example.com:88
         admin_server = kdc1.realm2.example.com:912
         default_domain = realm2.example.com
     }

with additional stanzas for each realm, with the port listed.

Then, the [realms] section of your kdc.conf will contain a line for
kadmind_port for each realm, e.g.

[realms]
     REALM1.EXAMPLE.COM = {
 		# other standard settings
 		kadmind_port = 911
 	}

     REALM2.EXAMPLE.COM = {
 		# other standard settings
 		kadmind_port = 912
 	}


We're also using separate kpropd processes for each realm on the
secondaries, with each kpropd on its own port.  That's specified via
the '-P portnum' option when starting kpropd.  It does mean that we
disable the standard kpropd startup script and have one-per-realm
(/etc/init.d/kprop_REALM1, /etc/init.d/kprop_REALM2, etc).

We're not using incremental propagation, so things might be different
there.  Instead, we only do propagation when the dump file has changed
from the checksum from the previous dump file.

Tim
-- 
Tim Mooney                                  mooney at dogbert.cc.nrealm2.NoDak.edu
Enterprise Computing & Infrastructure       701-231-1076 (Voice)
Room 242-J6, IACC Building                  701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164


More information about the Kerberos mailing list