Multi-tenancy in MIT KDC

Todd Grayson tgrayson at
Sat May 30 12:02:26 EDT 2015

I would suggest reading this:

A ream is a namespace that defines a database containing principals.
 logically REALM its separated from domain.  In AD environments by default
the domain and the realm are the same value with uppercase being the
notation for REALM.  In MIT implementations they are logically separate.
Unique rules and policies can be applied to a REALM and the principals it
contains, which can be members of multiple domains, in support of
authentication to the REALM.

When a user authenticates, generally its in the form username at REALM. In the
case of hosts and services you can also have names like
host/ at REALM or service/ at REALM, where fqdn is
"Fully qualified domain name" of the relevant host.

These types of things are completely arbitrary as naming designs however,
you can structure things to the left of the @ sign based upon what you are
doing, to the right of the @ is the REALM, best practice defines its in
UPPERCASE.  It does not matter what domain the user or service is a part of.

Domains (dns domain) can relate to realms on a one to one or many to one
relationship.  That is, many domains can be associated with a kerberos

A realm defines its relationship to DNS domains in the [libdefaults]
default_realm value, as well as having [domain_realms] mapping entries
within the /etc/krb5.conf to provide domain, subdomain, or host FQDN values
to specifically map a domain name to a REALM.

On Fri, May 29, 2015 at 7:03 PM, Firouzeh Jalilian <fjalilian at>

> What is the definition of "realm" in MIT KDC?  Is it just different
> domains?
> By definition of "tenant" I am referring to a categorization above the
> "domains".  For example a tenant could have multiple domains, and when a a
> user logs in there has to be an indicator of the "tenant" it belongs to
> besides its the domain. As the domain may not be sufficient to find the
> tenant the user belongs to.
> Is that something that is supported?
> Firouzeh
> ________________________________________
> From: kerberos-bounces at <kerberos-bounces at> on behalf of
> Tim Mooney <Tim.Mooney at>
> Sent: Friday, May 29, 2015 4:00 PM
> To: kerberos at
> Subject: Re: Multi-tenancy in MIT KDC
> In regard to: Multi-tenancy in MIT KDC, Firouzeh Jalilian said (at
> 10:24pm...:
> > I would like to know if there is any support currently for multi-tenancy
> > in MIT KDC?
> What do you mean by multi-tenancy?  Do you mean one krb5kdc process
> serving multiple distinct realms?  If so, then yes, that's possible.
> We've served 11 different realms from one krb5kdc process.
> You have to run separate kadmind processes, each on a separate port,
> because those can't serve multiple realms.  On your secondary kdcs,
> you also need to run a separate kpropd per realm, each on its own
> port.
> We've done it for years and it works, but if we were starting over,
> these days I'm not certain I would choose the same path.  Depending on
> your realms, it might be better to use separate VMs or containers,
> depending on what you're comfortable with.
> Tim
> --
> Tim Mooney                                             Tim.Mooney at
> Enterprise Computing & Infrastructure                  701-231-1076
> (Voice)
> Room 242-J6, Quentin Burdick Building                  701-231-8541 (Fax)
> North Dakota State University, Fargo, ND 58105-5164
> ________________________________________________
> Kerberos mailing list           Kerberos at
> ________________________________________________
> Kerberos mailing list           Kerberos at

Todd Grayson
Customer Operations Engineering

More information about the Kerberos mailing list