[27056] in Kerberos
Re: Migrating a Kerberos Realm
daemon@ATHENA.MIT.EDU (Edward Murrell)
Tue Nov 21 17:08:08 2006
Message-ID: <4563790F.6040607@dlconsulting.com>
Date: Wed, 22 Nov 2006 11:09:19 +1300
From: Edward Murrell <edward@dlconsulting.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <AD200F74-521F-4DED-A578-EAFD1B17BC4E@mit.edu>
X-SA-Exim-Mail-From: edward@dlconsulting.com
Reply-To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Things aren't working to well.
So possibly against my better judgement, I now have two realms traipsing
around the network.
For those who deleted the conversation, I have a non-canonical
domain/realm (.office) and it would be really good to have the overseas
servers using Kerberos. This is somewhat difficult with a domain that
doesn't work outside the office.
Anyhoo, the decision has been made to create a COMPANY.COM realm and do
cross realm authentication to ease the transition between the two realms.
The COMPANY.COM realm works great. According to the documentation here;
http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.4/doc/krb5-admin/Cross-realm-Authentication.html
I've run these two commands (on both servers);
addprinc -requires_preauth krbtgt/OFFICE@COMPANY.COM
addprinc -requires_preauth krbtgt/COMPANY.COM@OFFICE
And er... it doesn't work. Did I miss something?
Kerberos kdc (and clients) are 1.4.3 running on Ubuntu Linux (Dapper).
Edward
Ken Raeburn wrote:
> On Nov 1, 2006, at 20:55, Edward Murrell wrote:
>> Given the size of the company (eight people, twice that many machines),
>> I won't be able to justify the work of writing code to reconstruct
>> database records, and re-entering passwords isn't too big a deal. So it
>> looks like I'll be running two KDCs from one server. I'll probably
>> switch over a backup server, rather than using the primary KDC, that's
>> just asking for trouble.
>
> Ah, I see. From my initial reading of your description I thought it
> might've been larger...
>
>> In order to avoid completely breaking everything, the secondary KDC will
>> have the default ports use the new realm and use weirdo ports (default +
>> 1) for the 'old' realm. This will be interesting.
>
> That should work fine. Though I think we might have a pair of
> services on neighboring port numbers, I'm not sure if they're ones
> you'd be running on a backup server. I'd probably just go for
> default+10000 or something, myself....
>
> You might want to take a peek at our test suite (src/tests/dejagnu),
> which fires up all the KDC programs on alternate ports, puts the
> proper specs in the config files, etc. It's not terribly easy to
> read, though, unless you're familiar with Tcl already.
>
> Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
