Project Review: kinit -C

John Hascall john at iastate.edu
Fri Sep 17 07:58:02 EDT 2010


Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> Now, the answer to your question...  If you're going to run multiple
> KDCs on one system w/o virtualization, then you'll need to use non-
> default ports. [if you assume your point below] ...

> Also, allowing multiple KDCs on different network interfaces would add
> significant complexity to the network re-configuration code and/or would
> mean that krb5kdc and kadmind cannot adjust automatically to network
> configuration.

I'm wondering why this would be.  I'm thinking this isn't much more
than a config file and/or command line option a la '-i eth0' and
and an if-statement here or there.  In fact, even in the absence of
multiple KDCs I would think restricting which interface you would
talk to might be a good thing.

Also, perhaps I haven't been paying close enough attention, but what is
the use case for adding the complexity of automatically dealing with
network reconfiguration.  For example, our KDCs have had the same
IP addresses for over 20 years, so for us at least, I'm not seeing a value.

> Virtualization is an easy answer here.

Perhaps we're paranoid, but it's not one I ever see us
using on something like a KDC.


John
-------------------------------------------------------------------------------
John Hascall, john at iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services)
IT Services, The Iowa State University of Science and Technology




More information about the krbdev mailing list