Add second realm to existing KDC ?

[Greg Hudson]

On 9/10/19 12:25 PM, chris wrote:
> Hi, we've been running a very simple MIT krb5 KDC for a single realm for
> years with no problems.  Now, we'd like to add a second realm to the
> mix.  Can it easily be added to the same KDC?   We don't need
> cross-realm trust or anything.

To a rough approximation, each realm needs its own KDC and kadmind
processes, and its own database.  They can run on the same host on
different ports.

krb5kdc can be instructed to serve multiple realms (by passing it
multiple -r options on the command line), but kadmind does not have the
same support.  You would still need separate databases for each realm.

> If possible, then what would be the steps?  Add new realm to krb5.conf &
> kdc.conf ?  Create new master database?  Or could the existing database
> be used?  New tgt for the new domain?  What else?

Assuming you are co-hosting the realms:

Add the new realm specification to the config files.  Make sure ports
are specified in realm config, not in [kdcdefaults], so that each
process can use separate ports.  Create a new database for the new realm.

Then arrange for krb5kdc to be run with "-r REALM" flags for each realm,
and similarly for kadmind.  How you do this part is system-specific.