On 09/03/2010 04:40 PM, Greg Hudson wrote: > On Fri, 2010-09-03 at 15:36 -0400, Tom Parker wrote: >> My question therefor is: Is there a way to run a single KDC with two >> realms, One as master for XX.EXAMPLE.COM and one as slave for >> EXAMPLE.COM? And if not, how would you solve this? > It is possible for a single MIT krb5 KDC process to serve multiple > realms, so this should in theory be possible. We have tried running more than one realm on our test KDCs and things have freaked out. I will keep testing and see if we can make it work now that we have moved to LDAP backed KDCs. > However, I don't think I fully understand your requirements. Why is it > necessary for the EXAMPLE.COM slave to be the same KDC as the > XX.EXAMPLE.COM master? Our firewall rules are rather tight and only a limited number of servers in a local site can see the master kdc for EXAMPLE.COM at our head office as well as be seen by all the clients on the local network.
Most clients on the local network cannot see the head office at all and don't need to (Password changes for head office users will be done at the head office only) I am trying to avoid the need for a 3rd authentication server at my remote sites (XX.EXAMPLE.COM master and slave + EXAMPLE.COM slave) Tom ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos