multiple realm KDC support (was Re: preauth plugin configuration issues)

Tim Mooney mooney at
Tue Mar 6 15:27:01 EST 2007

In regard to: multiple realm KDC support (was Re: preauth plugin...:

> On Mar 3, 2007, at 19:50, Tim Mooney wrote:
>> In regard to: Re: preauth plugin configuration issues, Sam Hartman
>> said (at...:
>>> We used to support more than one realm per KDC the way Kevin is
>>> talking about.  I personally don't think it works, and if that's
>>> true,
>>> I agree Kevin should ignore it.  However Ken thinks it does still
>>> work.  We have not verified yet.
>> It seems to be working for us.  We're running 11 realms with one KDC
>> process using Red Hat 4's 1.3.4-33 packages.  We previously ran the
>> exact same config with their 1.2.x packages under RHEL 3.
> As Sam noted, I believe it works, or at least doesn't take much work
> to make the KDC work.  (Though as Nico notes, that's not the case for
> kadmind.)  I know I've heard of someone doing it recently,
> unfortunately, I just can't remember who it was, or what version of
> the software. :-(  (Could it have been you, Tim?  Has there been
> other email about this in recent months?)

It might have been me.  I recall someone else asking about whether it
can be done several months back, and I likely responded.

>> We weren't aware that MIT had deprecated that type of configuration.
> It's not so much deprecated as untested, I think.  At least, I don't
> recall any decision to specifically make it deprecated, we just
> aren't putting in any effort.

That's kind of what I expected, and I guess it's better news that having
it actively deprecated.

>  In fact, if someone wanted to test it
> out in 1.6 and submit some patches to make the test suite exercise
> it, I think we could pretty easily fix that.  (Barring, of course,
> some actual decision to deprecate it.)

As much as I would like to contribute something back, especially when
we're one of a small group of users of that feature, I can't make any
commitment to doing something like that, at this point.  I will keep it
on the pet projects list in case I find some time down the road.  I'll
also suggest it to my manager, to see if he'll prioritize it for someone
in my workgroup.

Tim Mooney                              mooney at
Information Technology Services         (701) 231-1076 (Voice)
Room 242-J6, IACC Building              (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

More information about the krbdev mailing list