In regard to: Re: Multiple realms served by single kadmind, Tom Parker said...:
> Thanks for the information. How can I tell my clients to use a custom > port for password change? The man pages I have don't mention this and > they tell me erroneously that kadmind will server multiple realms (This > I assume is a suse packaging problem, not a kerberos problem) We've been doing what you're asking about for quite a few years -- one KDC but about a dozen kadminds. Your /etc/krb5.conf on your clients will look something like REALM1.EXAMPLE.COM = { kdc = kdc1.realm1.example.com:88 kdc = kdc2.realm1.example.com:88 admin_server = kdc1.realm1.example.com:911 default_domain = realm1.example.com } REALM2.EXAMPLE.COM = { kdc = kdc1.realm2.example.com:88 kdc = kdc2.realm2.example.com:88 admin_server = kdc1.realm2.example.com:912 default_domain = realm2.example.com } with additional stanzas for each realm, with the port listed. Then, the [realms] section of your kdc.conf will contain a line for kadmind_port for each realm, e.g. [realms] REALM1.EXAMPLE.COM = { # other standard settings kadmind_port = 911 } REALM2.EXAMPLE.COM = { # other standard settings kadmind_port = 912 } We're also using separate kpropd processes for each realm on the secondaries, with each kpropd on its own port. That's specified via the '-P portnum' option when starting kpropd. It does mean that we disable the standard kpropd startup script and have one-per-realm (/etc/init.d/kprop_REALM1, /etc/init.d/kprop_REALM2, etc). We're not using incremental propagation, so things might be different there. Instead, we only do propagation when the dump file has changed from the checksum from the previous dump file. Tim -- Tim Mooney moo...@dogbert.cc.nrealm2.nodak.edu Enterprise Computing & Infrastructure 701-231-1076 (Voice) Room 242-J6, IACC Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos