[krbdev.mit.edu #8945] krb5kdc: the 32 realms limit
ДилÑн Палаузов via RT
rt at krbdev.mit.edu
Thu Sep 17 05:00:09 EDT 2020
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8945 >
Hello,
I withdraw the request.
As it turned out, in order to be able change the password for a
separate realm, a separate kadmind process has to run. So for many
realms hosted on few hosts, many kadmind processes have to run on the
hosts for the rare event of changing a password. This is overkill.
Greetings
Дилян
В 21:56 +0300 на 08.09.2020 (вт), Дилян Палаузов написа:
> Hello,
>
> In my use case, all things shall go in a single Kerberos DataBase
> (KDB), all under LDAP(kldap). Say it this way: I want to have many
> users, and each user gets a separate domain. REALM=DOMAIN. So there
> are many realms with very few users in each.
>
> Greetings
> Dilyan
>
> On Tue, 2020-09-08 at 13:20 -0400, Greg Hudson via RT wrote:
> > For your use case, would it be better to have a separate KDB for
> > each
> > realm
> > (implying separate storage, propagation, and backup), or have one
> > KDB
> > to which
> > realms could be added and removed?
> >
> > To answer one of your questions, if you ran two separate krb5kdc
> > processes each
> > with 31 -r options to get around the current 32-realm limitation,
> > they would
> > have to serve different ports.
> >
> >
More information about the krb5-bugs
mailing list