Multiple Realm Question...

David E. Cross david at
Thu May 15 17:23:20 EDT 2008

Ok, I've poked around some more and what I have found does not leave me 
with warm fuzzies going forward at any level.

So, I started by playing it safe and having 2 separate directories.  
This mostly worked.  The issue was that kadmind doesn't seem to like to 
have 2 principal databases with 2 private keys (stash files), and 2 
keytabs.  I would get inconsistent errors trying to "kadmin -r REALM1" 
or "kadmin -r REALM2".

I decided to try the single directory, single "principal" database 
approach.  I did this via a kdb5_util dump, kdb5_util load -update to 
merge the databases together.  It worked, sorta.  kdc seems happy with 
it, but again kadmind has issues.  This time the issues were that from 
REALM2 I can see REALM1's principals, and to the extent that kadmin 
policy allows me to, I can change keys.. which actually winds up 
corrupting REALM1's keys, as the master passwords are different (duh).  
So at this point I am not sure where this leaves me, other then having 
multiple images (which sucks for a few reasons).  it seems like all of 
this was designed to work.. it just wasn't ever coded/tested.

BTW: below are the errors I get from kadmin when doing the 2 directory, 
2 realm setup:

May 15 18:26:30 kerberos.domain kadmind[93592](Notice):     Unspecified 
GSS failure.  Minor code may provide more information
May 15 18:26:30 kerberos.domain kadmind[93592](Notice):     Key table 
entry not found
May 15 18:26:30 kerberos.domain kadmind[93592](Notice):    GSS-API error 
strings complete.
May 15 18:26:30 kerberos.domain  kadmind[93592](Notice): Authentication 
attempt failed: 10.x.y.z, GSS-API error strings are:

Any hints here, or do I need to go code spellunking?

David E. Cross

David E. Cross wrote:
> .. Not entirely sure this is appropriate for krbdev... but it seems to 
> relate directly to the MIT codebase, and I haven't found any answers in 
> FAQs, etc..
> I am looking to setup multiple realms on a single KDC, specifically the 
> "right" way to do this.
> It _seems_ that the architecture is in place to do all of it with a 
> single database, all of the principals within the "principal" file have 
> their REALMs as part of the key, the per-realm secret is setup by 
> default to be .k5.REALM.. so it seems it can all share a single 
> database.  However when I try to kdb5_util -r SECOND.REALM -s  it dies 
> on an error that the principal database already exists.
> Must I have multiple principal files?  If so, why, it seems like a fair 
> bit of thought was put in place to allow sharing.   If its just a limit 
> on creation (it seems to be), can I (should I) kdb5_util dump/load/merge 
> my way around it?
> Thank you.

More information about the krbdev mailing list