multiple realm KDC support (was Re: preauth plugin configuration issues)
Ken Raeburn
raeburn at MIT.EDU
Sun Mar 4 04:25:53 EST 2007
On Mar 3, 2007, at 19:50, Tim Mooney wrote:
> In regard to: Re: preauth plugin configuration issues, Sam Hartman
> said (at...:
>> We used to support more than one realm per KDC the way Kevin is
>> talking about. I personally don't think it works, and if that's
>> true,
>> I agree Kevin should ignore it. However Ken thinks it does still
>> work. We have not verified yet.
>
> It seems to be working for us. We're running 11 realms with one KDC
> process using Red Hat 4's 1.3.4-33 packages. We previously ran the
> exact same config with their 1.2.x packages under RHEL 3.
As Sam noted, I believe it works, or at least doesn't take much work
to make the KDC work. (Though as Nico notes, that's not the case for
kadmind.) I know I've heard of someone doing it recently,
unfortunately, I just can't remember who it was, or what version of
the software. :-( (Could it have been you, Tim? Has there been
other email about this in recent months?)
> We weren't aware that MIT had deprecated that type of configuration.
It's not so much deprecated as untested, I think. At least, I don't
recall any decision to specifically make it deprecated, we just
aren't putting in any effort. In fact, if someone wanted to test it
out in 1.6 and submit some patches to make the test suite exercise
it, I think we could pretty easily fix that. (Barring, of course,
some actual decision to deprecate it.) Ideally, I think, it would
mean writing support to have it all driven by the DejaGnu test
framework we use, and figuring out what things are actually useful to
test. (For example: kinit to principals in both realms; kvno to get
tickets for services in both realms; cross-realm authentication
between them; cross-realm authentication NOT set up between them;
realm parameters from configuration files properly being applied to
the corresponding realms; use of different master keys and master key
types for different realms; PKINIT authentication to get TGTs from
both realms; use of different database types or the same database
type; etc.) However, having shell scripts do a bunch of the work,
and being able to run the shell scripts via DejaGnu, would be an okay
way to start.
Ken
More information about the krbdev
mailing list