Project Review: kinit -C

Fri Sep 17 11:34:53 EDT 2010

On Fri, Sep 17, 2010 at 06:58:02AM -0500, John Hascall wrote:
> > Also, allowing multiple KDCs on different network interfaces would add
> > significant complexity to the network re-configuration code and/or would
> > mean that krb5kdc and kadmind cannot adjust automatically to network
> > configuration.
> 
> I'm wondering why this would be.  I'm thinking this isn't much more
> than a config file and/or command line option a la '-i eth0' and
> and an if-statement here or there.  In fact, even in the absence of
> multiple KDCs I would think restricting which interface you would
> talk to might be a good thing.

Why would that be a good thing?  If it'd be inappropriate to run the KDC
on one interface then chances are you should be doing something more
involved to separate your network traffic anyways.

> Also, perhaps I haven't been paying close enough attention, but what is
> the use case for adding the complexity of automatically dealing with
> network reconfiguration.  For example, our KDCs have had the same
> IP addresses for over 20 years, so for us at least, I'm not seeing a value.

On the few occasions where reconfiguration is done, it's nice to know
that the various software components of a system can adjust
automatically -- less work to do.

> > Virtualization is an easy answer here.
> 
> Perhaps we're paranoid, but it's not one I ever see us
> using on something like a KDC.

To separate realms?  I do.  OTOH, if you don't need it (because all are
administered by the same org), then why not just have one KDB?

Also, again, I don't mind multiple KDBs...  I was just telling Sam I
don't think it should be a requirement for his project.

Nico
-- 