Each Realm must have it's own KDC?

Thu Mar 21 18:13:00 EST 2002

In regard to: Re: Each Realm must have it's own KDC?, Derek Atkins said (at...:

>Each realm needs to have its own logical KDC, but I believe you can
>run one "krb5kdc" process that serves multiple realms.  Note that this
>is implementation dependent.  The protocol doesn't really care, but an
>implementation may (or may not) limit you.

We're doing this with MIT's implementation of K5, and it has worked for
us for a while.  The krb5kdc can serve multiple realms via

	/path/to/krb5kdc -n -r REALM.ONE.EDU -r REALM.TWO.EDU [-r ...]

We run our krb5kdc out of init (from a Linux box), and I actually ran into
an init line length limitation because one of our KDC's is serving six
realms, each about 10-15 characters in length.

You need a separate `kadmind' for each realm, though, so you have to
arrange to have them run on different ports, i.e.:

	/path/to/kadmind -nofork -r REALM.ONE.EDU
	/path/to/kadmind -nofork -r REALM.TWO.EDU -port 901
	/path/to/kadmind -nofork -r REALM.THREE.EDU -port 902
	etc.

Then you need to make sure that your clients know where to look for their
admin servers and their kdc's.  This goes in the krb.conf on each machine:

    REALM.ONE.EDU = {
        kdc = kdc1.realm.one.edu:88
        kdc = kdc2.realm.one.edu:88
        admin_server = kdc1.realm.one.edu:749
        default_domain = realm.one.edu
    }

    REALM.TWO.EDU = {
        kdc = kdc.realm.two.edu:88
        admin_server = kdc.realm.two.edu:901
        kpasswd_server = kdc.realm.two.edu:465
    }

    REALM.THREE.EDU = {
        kdc = kdc.realm.three.edu:88
        admin_server = kdc.realm.three.edu:902
        kpasswd_server = kdc.realm.three.edu:466
    }

	etc.

Then on your kdc, in your kdc.conf, you need settings for each realm, that
tell your kdc where the files for that realm are.  I highly recommend you
separate the files that must be unique for each realm, each into their
own subdirectory, e.g.

[realms]
    REALM.TWO.EDU = {
        database_name = /var/lib/krb5/krb5kdc/REALM.TWO.EDU/REALM.TWO.EDU
        admin_keytab = /var/lib/krb5/krb5kdc/REALM.TWO.EDU/kadmin.keytab
        acl_file = /var/lib/krb5/krb5kdc/REALM.TWO.EDU/kadmin.acl
        dict_file = /var/lib/krb5/krb5kdc/kadmin.dict
        key_stash_file = /var/lib/krb5/krb5kdc/REALM.TWO.EDU/.k5stash.REALM.TWO.EDU
		# other settings, etc.
		#
		#
		kadmind_port = 901
		kpasswd_port = 465
	}

    REALM.THREE.EDU = {
        database_name = /var/lib/krb5/krb5kdc/REALM.THREE.EDU/REALM.THREE.EDU
        admin_keytab = /var/lib/krb5/krb5kdc/REALM.THREE.EDU/kadmin.keytab
        acl_file = /var/lib/krb5/krb5kdc/REALM.THREE.EDU/kadmin.acl
        dict_file = /var/lib/krb5/krb5kdc/kadmin.dict
        key_stash_file = /var/lib/krb5/krb5kdc/REALM.THREE.EDU/.k5stash.REALM.THREE.EDU
		#
		# other settings, etc.
		#
        kadmind_port = 902
        kpasswd_port = 466
    }

	etc.

Note that the kadmin.dict files can be shared between the realms, if
you want.

That's about all there is to it.

Tim
-- 
Tim Mooney                              mooney at dogbert.cc.ndsu.NoDak.edu
Information Technology Services         (701) 231-1076 (Voice)
Room 242-J6, IACC Building              (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164