Binding KDC to a specific virtual IP

Ken Raeburn raeburn at MIT.EDU
Mon Nov 12 16:43:46 EST 2007 

On Nov 12, 2007, at 09:08, Shivakeshav Santi wrote:
>     Does kerberos provide an option where one could bind the krb5kdc,
> kadmind,kadmind4 and krb524d to a specific virtual IP. I have a  
> machine
> (set of machines) which have multiple virtual ips, so can I bind  
> KDC to a
> single IP . Right now it listens on all IPs.

No, currently there's no such option.  You could use different port  
numbers, if the clients you're supporting can handle that.  (I've  
heard Microsoft clients may not support KDCs on non-default port  
numbers.)  It's also possible to run one KDC process serving multiple  
realms on the same port(s), though that's not the case for kadmind,  
and I'm not sure about krb524d but suspect not.  Note that while a  
few sites are using the multiple-realm support, it's not something we  
test often at MIT currently.

(kadmind4??  I think we stopped shipping that years ago.)

We do occasionally get requests for this, though not often.  If you  
(or someone) would like to take a shot at implementing it, feel  
free.  I have some suggestions: Implement it for all the servers with  
consistent specifications in the config file and/or command line.  It  
should probably support more than one address, so you don't have to  
pick between using one address and using all available addresses.   
Consider whether it might be desirable to integrate it with port- 
number specifications, instead of having them given separately.  And  
get some discussion going here before implementing it, to get  
feedback from others who might have similar but perhaps slightly  
different use cases in mind.

There's an old patch in our bug database (#987, from Mark Eichin) to  
let an address for krb524d be specified on the command line, but as  
it only addresses the issue for that one program, I'm reluctant to  
incorporate it.  (It also addresses a real bug in krb524d on  
multihomed systems, but I think the right fix for that is to factor  
out the networking code in the KDC that supports UDP services on  
multiple addresses, using one or more file descriptors depending on  
the OS support, and make it useable from krb524d as well.)

As I said, we don't often get requests for this, so it hasn't been a  
priority, and so far, I'm not aware of anyone who's wanted to sponsor  
or contribute the work.

Ken

More information about the krbdev mailing list