[32635] in Kerberos
Re: Multi Realm Question
daemon@ATHENA.MIT.EDU (Tom Parker)
Fri Sep 3 16:49:21 2010
Message-ID: <4C815ED5.3030107@cbnco.com>
Date: Fri, 03 Sep 2010 16:47:17 -0400
From: Tom Parker <tparker@cbnco.com>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <1283546426.5992.1154.camel@ray>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 09/03/2010 04:40 PM, Greg Hudson wrote:
> On Fri, 2010-09-03 at 15:36 -0400, Tom Parker wrote:
>> My question therefor is: Is there a way to run a single KDC with two
>> realms, One as master for XX.EXAMPLE.COM and one as slave for
>> EXAMPLE.COM? And if not, how would you solve this?
> It is possible for a single MIT krb5 KDC process to serve multiple
> realms, so this should in theory be possible.
We have tried running more than one realm on our test KDCs and things
have freaked out. I will keep testing and see if we can make it work
now that we have moved to LDAP backed KDCs.
> However, I don't think I fully understand your requirements. Why is it
> necessary for the EXAMPLE.COM slave to be the same KDC as the
> XX.EXAMPLE.COM master?
Our firewall rules are rather tight and only a limited number of servers
in a local site can see the master kdc for EXAMPLE.COM at our head
office as well as be seen by all the clients on the local network.
Most clients on the local network cannot see the head office at all and
don't need to (Password changes for head office users will be done at
the head office only)
I am trying to avoid the need for a 3rd authentication server at my
remote sites (XX.EXAMPLE.COM master and slave + EXAMPLE.COM slave)
Tom
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
