Project Review: kinit -C
Nicolas Williams
Nicolas.Williams at oracle.com
Thu Sep 16 18:04:13 EDT 2010
On Thu, Sep 16, 2010 at 04:49:16PM -0500, Tim Mooney wrote:
> In regard to: Re: Project Review: kinit -C, Nicolas Williams said (at...:
>
> > IMO there should be a single KDB per-KDC host because: a) one should use
> > VMs to run distinct realms' KDCs on a single system,
>
> I'll bite. Why?
First, remember that I'm saying I don't mind if Sam doesn't "change to
the KDB keytab to take the realm of the KDB as its argument". That is,
I don't mind that, but I don't think it should be required.
Now, the answer to your question... If you're going to run multiple
KDCs on one system w/o virtualization, then you'll need to use non-
default ports. And while that's workable now that DNS SRV RRs can be
used for discovery, using non-default port numbers is still a PITA.
Finally, if multiple KDCs on different ports happens to work but kinit
-k -t KDB:... doesn't work for more than just one realm, I don't think I
mind -- that's hardly a critical feature.
Also, allowing multiple KDCs on different network interfaces would add
significant complexity to the network re-configuration code and/or would
mean that krb5kdc and kadmind cannot adjust automatically to network
configuration. So it really has to be the case that if you must run
multiple KDCs on one host then they must use different port numbers.
Virtualization is an easy answer here. But also, as I said, there's no
reason that one KDB couldn't hold more than one realm's principals in
it, so that if you don't want to virtualize, then why not just make it
so multiple realms can share one KDB? krb5kdc already supports that...
Only kadmind (and kpropd?) doesn't.
Nico
--
More information about the krbdev
mailing list