Suggestion of change to certauth plugin interface

[Nico Williams]

On Fri, Dec 09, 2022 at 07:16:14AM -0500, Ken Hornstein via krbdev wrote:
> >Does NRL use the current multiple realm KDC support?  I have been 
> >assuming that it's very rare to do so, because there isn't equivalent 
> >support in kadmind.
> 
> We do not, and I do not know of anyone that does that (but I probably
> am only familiar with the configuration of less than a dozen realms
> and most of them are in a similar environment as ours, so it doesn't
> make sense in those situations).

Heimdal, like MIT, can do it sort of.  It really needs to be fully
supported.  For example, if we added aliasing of realms (which Heimdal
can do), possibly using case-insensitivity, it ought to just work.  Most
of the issues with multiple realms in one KDC are specific to
configuration of the KDC services, not the co-existence of multiple
realms' KDBs in one, or the KDC services being able to query multiple
distinct KDBs.  There's no reason that kadmind should accept only one
`-r REALM` option, or that it should require even one -- there should be
a way to say "any realm for which there is a keytab entry" (or a KDB
entry when using the KDB as a keytab).

Nico
--