Project Review: kinit -C

[Tim Mooney]

In regard to: Re: Project Review: kinit -C, Roland C. Dowdeswell said (at...:

> On Thu, Sep 16, 2010 at 05:04:13PM -0500, Nicolas Williams wrote:
>>
>
>> On Thu, Sep 16, 2010 at 04:49:16PM -0500, Tim Mooney wrote:
>>> In regard to: Re: Project Review: kinit -C, Nicolas Williams said (at...:
>>>
>>>> IMO there should be a single KDB per-KDC host because: a) one should use
>>>> VMs to run distinct realms' KDCs on a single system,
>>>
>>> I'll bite.  Why?
>>
>> First, remember that I'm saying I don't mind if Sam doesn't "change to
>> the KDB keytab to take the realm of the KDB as its argument".  That is,
>> I don't mind that, but I don't think it should be required.
>>
>> Now, the answer to your question...  If you're going to run multiple
>> KDCs on one system w/o virtualization, then you'll need to use non-
>> default ports.  And while that's workable now that DNS SRV RRs can be
>> used for discovery, using non-default port numbers is still a PITA.
>
> Using non-default port numbers is not supported by SSPI on MSFT.
> We found that Windows just ignored the port bit and tries 88, IIRC.
> To run differently configured KDCs on the same host, you need to
> use different IP addresses in a heterogenous environment.

That's slightly different from what Nico said, though, which is why I
was asking for a little more information.

We've been running one krb5kdc process serving multiple (11) realms from
multiple databases on our primary and secondary KDC for years and never
had a problem.  You're correct that you do need to run the kadminds (on
the master) and kpropds (on the secondaries) on distinct ports, but a
single krb5kdc can run on just 88 and serve multiple realms.

Tim
-- 
Tim Mooney                                  mooney at dogbert.cc.ndsu.NoDak.edu
Enterprise Computing & Infrastructure       701-231-1076 (Voice)
Room 242-J6, IACC Building                  701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164