Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 2.24. Can I have multiple realms on a single KDC?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Sex offenders ]


Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 2.23. I already have a standard Unix password database for my user population. Can I convert this to a Kerberos password database?
Next Document: 2.25 What is the kadm5.acl file?
See reader questions & answers on this topic! - Help others by sharing your knowledge
From: Christopher Misra <crispy@nic.umass.edu>

     I run a single KDC that maintains three databses all kept in
     separate subdirs. I then run three kadmin processes, and just
     manually configure the port to be in sync.

     Here is a list of the processes as running (from ps):

     .../sbin/krb5kdc -r <realm1> -r <realm2> -r <realm3>

     .../sbin/kadmind -r <realm1>
     .../sbin/kadmind -r <realm2> -port 748
     .../sbin/kadmind -r <realm3> -port 747

     Although maybe not exactly the way it should be done, it has
     worked for me. Presently I only keep a slave KDC for one of the
     three databases, but it should be reasonably trivial to run an
     additional slave of one of the other db's.

     Included below is a cleaned up version of my kdc.conf and
     kpropd.acl just to be complete.

     Also included below is the command line for running kprop, as I
     remember it taking me the better part of a day to get it all
     working.

     Hope this helps. All this is, good or bad, provided without any
     guarantee, etc.

     --- kdc.conf:

     [kdcdefaults]

     [realms]
        <realm1> = {
             profile = /etc/krb5.conf
             database_name = .../var/krb5kdc/<realm1>/principal
             admin_database_name = .../var/krb5kdc/<realm1>/principal.kadm5
             admin_database_lockfile = .../var/krb5kdc/<realm1>/principal.kadm5.lock
             admin_keytab = .../var/krb5kdc/<realm1>/kadm5.keytab
             acl_file = .../var/krb5kdc/<realm1>/kadm5.acl
             dict_file = .../var/krb5kdc/kadm5.dict
             key_stash_file = .../var/krb5kdc/<realm1>/.k5stash
             kadmind_port = 748
             max_life = 10h 0m 0s
             max_renewable_life = 7d 0h 0m 0s
             master_key_type = <enc-type>
             }
       <realm2> = {
             profile = /etc/krb5.conf
             database_name = .../var/krb5kdc/<realm2>/principal
             admin_database_name = .../var/krb5kdc/<realm2>/principal.kadm5
             admin_database_lockfile = .../var/krb5kdc/<realm2>/principal.kadm5.lock
             admin_keytab = .../var/krb5kdc/<realm2>/kadm5.keytab
             acl_file = .../var/krb5kdc/<realm2>/kadm5.acl
             dict_file = .../var/krb5kdc/kadm5.dict
             key_stash_file = .../var/krb5kdc/<realm2>/.k5stash
             kadmind_port = 749
             max_life = 10h 0m 0s
             max_renewable_life = 7d 0h 0m 0s
             master_key_type = <enc-type>
             }
        <realm3> = {
             profile = /etc/krb5.conf
             database_name = .../var/krb5kdc/<realm3>/principal
             admin_database_name = .../var/krb5kdc/<realm3>/principal.kadm5
             admin_database_lockfile = .../var/krb5kdc/<realm3>/principal.kadm5.lock
             admin_keytab = .../var/krb5kdc/<realm3>/kadm5.keytab
             acl_file = ...var/krb5kdc/<realm3>/kadm5.acl
             dict_file = .../var/krb5kdc/kadm5.dict
             key_stash_file = .../var/krb5kdc/<realm3>/.k5stash
             kadmind_port = 747
             max_life = 10h 0m 0s
             max_renewable_life = 7d 0h 0m 0s
             master_key_type = <enc-type>
             }

     --- kpropd.acl

     host/<master_kdc.domain>@<realm1>
     host/<slave_kdc.domain>@<realm1>

     --- kprop command line arguments

     .../sbin/kprop -r <realm1> -f <filename> -P <port> <slave_kdc.domain>

     This requires kpropd be running on the appropriate slave_kdc (I do
     it from inetd, this could be argued to be bad, but oh well...)
     with a -R <realm1> argument

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA