Multiple Realm Question...
David E. Cross
david at wsg.net
Thu May 15 17:23:20 EDT 2008
Ok, I've poked around some more and what I have found does not leave me
with warm fuzzies going forward at any level.
So, I started by playing it safe and having 2 separate directories.
This mostly worked. The issue was that kadmind doesn't seem to like to
have 2 principal databases with 2 private keys (stash files), and 2
keytabs. I would get inconsistent errors trying to "kadmin -r REALM1"
or "kadmin -r REALM2".
I decided to try the single directory, single "principal" database
approach. I did this via a kdb5_util dump, kdb5_util load -update to
merge the databases together. It worked, sorta. kdc seems happy with
it, but again kadmind has issues. This time the issues were that from
REALM2 I can see REALM1's principals, and to the extent that kadmin
policy allows me to, I can change keys.. which actually winds up
corrupting REALM1's keys, as the master passwords are different (duh).
So at this point I am not sure where this leaves me, other then having
multiple images (which sucks for a few reasons). it seems like all of
this was designed to work.. it just wasn't ever coded/tested.
BTW: below are the errors I get from kadmin when doing the 2 directory,
2 realm setup:
May 15 18:26:30 kerberos.domain kadmind(Notice): Unspecified
GSS failure. Minor code may provide more information
May 15 18:26:30 kerberos.domain kadmind(Notice): Key table
entry not found
May 15 18:26:30 kerberos.domain kadmind(Notice): GSS-API error
May 15 18:26:30 kerberos.domain kadmind(Notice): Authentication
attempt failed: 10.x.y.z, GSS-API error strings are:
Any hints here, or do I need to go code spellunking?
David E. Cross
David E. Cross wrote:
> .. Not entirely sure this is appropriate for krbdev... but it seems to
> relate directly to the MIT codebase, and I haven't found any answers in
> FAQs, etc..
> I am looking to setup multiple realms on a single KDC, specifically the
> "right" way to do this.
> It _seems_ that the architecture is in place to do all of it with a
> single database, all of the principals within the "principal" file have
> their REALMs as part of the key, the per-realm secret is setup by
> default to be .k5.REALM.. so it seems it can all share a single
> database. However when I try to kdb5_util -r SECOND.REALM -s it dies
> on an error that the principal database already exists.
> Must I have multiple principal files? If so, why, it seems like a fair
> bit of thought was put in place to allow sharing. If its just a limit
> on creation (it seems to be), can I (should I) kdb5_util dump/load/merge
> my way around it?
> Thank you.
More information about the krbdev