Mulltiple domains in one KDC process?

[Rick van Rein (OpenFortress)]

Hello,

I am trying to get the KDC to service multiple realms.  Configuration files and backing stores all support this idea, but my KDC process sticks to the default realm setup in /etc/krb5.conf (and can presumably be overridden with -r on the KDC commandline).  If I try to access another realm, I end up with CLIENT_NOT_FOUND, which I traced back in the source code to be triggered by is_principal_in_realm() function in src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c that checks if the requested principal is part of the current realm.

Is it possible to have one KDC process, running on a single port, supporting multiple realms?  Same for kadmin and kpasswd services?

Why?  Because otherwise each realm allocates a set of ports, and port space is getting scarce in the IPv4 world.  Specifically for us, because we are building towards hosting platform inclusion of Kerberos, and so we need the scalability.  And, of course, because everything appears to be in place to do this sort of thing, protocols including.  This realm-check appears overzealous to me… so I must be missing something ;-)

Thanks,
 -Rick