Multiple Realm Question...

[David E. Cross]

Separate ports, etc.. is a really kludgy solution, and according to the 
documentation (for kadmind even) in multiple places it shouldn't be 
needed.  For example:

keytab    Kadmind  requires a keytab containing correct entries for the
    kadmin/admin and kadmin/changepw principals for  every  realm
    that  kadmind  will  answer  requests for.

-r realm   ...  kadmind will  answer requests for any realm that exists 
in the local KDC
    database and for which the appropriate  principals  are  in  its
    keytab.

-- 
David E. Cross

Tim Mooney wrote:
> In regard to: Re: Multiple Realm Question..., David E. Cross said (at...:
>
>> So, I started by playing it safe and having 2 separate directories.
>> This mostly worked.  The issue was that kadmind doesn't seem to like to
>> have 2 principal databases with 2 private keys (stash files), and 2
>> keytabs.  I would get inconsistent errors trying to "kadmin -r REALM1"
>> or "kadmin -r REALM2".
>
> We've served multiple realms from one host for several years.  What's
> worked for us is
>
> - one kdc process serving multiple separate databases, in multiple
>   separate directories.
>
> - a kadmind process for each realm.  kadmind obviously needs to listen
>   on different ports for different realms, if you only have one IP 
> address
>   associated with the box.
>
> - on any secondary servers, one kpropd for each realm, also each on a
>   separate port.
>
>
> I've posted information on how to set this up previously, and someone 
> else
> has done a more thorough "How To" guide on the same process.  Do some
> searching (don't forget to search Usenet groups, as it was probably 
> posted
> to the "general use" mailing list, which is gatewayed to a newsgroup)
> and you should turn up the necessary info on how to do this.
>
> Tim