multiple realm KDC support (was Re: preauth plugin configuration issues)

Ken Raeburn raeburn at MIT.EDU
Sun Mar 4 04:25:53 EST 2007

On Mar 3, 2007, at 19:50, Tim Mooney wrote:
> In regard to: Re: preauth plugin configuration issues, Sam Hartman  
> said (at...:
>> We used to support more than one realm per KDC the way Kevin is
>> talking about.  I personally don't think it works, and if that's  
>> true,
>> I agree Kevin should ignore it.  However Ken thinks it does still
>> work.  We have not verified yet.
> It seems to be working for us.  We're running 11 realms with one KDC
> process using Red Hat 4's 1.3.4-33 packages.  We previously ran the
> exact same config with their 1.2.x packages under RHEL 3.

As Sam noted, I believe it works, or at least doesn't take much work  
to make the KDC work.  (Though as Nico notes, that's not the case for  
kadmind.)  I know I've heard of someone doing it recently,  
unfortunately, I just can't remember who it was, or what version of  
the software. :-(  (Could it have been you, Tim?  Has there been  
other email about this in recent months?)

> We weren't aware that MIT had deprecated that type of configuration.

It's not so much deprecated as untested, I think.  At least, I don't  
recall any decision to specifically make it deprecated, we just  
aren't putting in any effort.  In fact, if someone wanted to test it  
out in 1.6 and submit some patches to make the test suite exercise  
it, I think we could pretty easily fix that.  (Barring, of course,  
some actual decision to deprecate it.)  Ideally, I think, it would  
mean writing support to have it all driven by the DejaGnu test  
framework we use, and figuring out what things are actually useful to  
test.  (For example: kinit to principals in both realms; kvno to get  
tickets for services in both realms; cross-realm authentication  
between them; cross-realm authentication NOT set up between them;  
realm parameters from configuration files properly being applied to  
the corresponding realms; use of different master keys and master key  
types for different realms; PKINIT authentication to get TGTs from  
both realms; use of different database types or the same database  
type; etc.)  However, having shell scripts do a bunch of the work,  
and being able to run the shell scripts via DejaGnu, would be an okay  
way to start.


More information about the krbdev mailing list