RE: Multiple realms
Hi Ben,
I have java client to connect to Kerberos enabled Hadoop. Client should be able
to connect different realms at the same time.
I am using following code to interact with Kerberos enabled Hadoop.
UserGroupInformation.loginUserFromKeytab(hdfs/pivhdsne@new.com,/root/hdfsNew.keytab);
System.out.println(Obtained..\n\n\n\n);
URI uri = URI.create(webhdfs://IP:50070 );
FileSystem fs = FileSystem.get(uri, configuration);
if (fs.mkdirs(new Path(/testKerbhdfsUser)))
System.out.print(Directory created...);
The API is recognizing only default_realm.
Krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm=NEW.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 1m
renew_lifetime = 7d
forwardable = true
default_ccache_name =FILE:/tmp/hello/tktj0gw2g
[realms]
NEW.COM = {
kdc = bharath.kdc
admin_server = bharath.kdc
}
EXAMPLE.COM = {
kdc = wckdserver.krbnet
admin_server = wckdserver.krbnet
}
[domain_realm]
.example.com = EXAMPLE.COM
.new.com = NEW.COM
pivhdsne.localdomain = EXAMPLE.COM
pivhdsne.rupam = NEW.COM
Thanks,
Bharath
-Original Message-
From: Benjamin Kaduk [mailto:ka...@mit.edu]
Sent: Friday, October 17, 2014 9:49 PM
To: Phatak, Bharath
Cc: kerberos@mit.edu
Subject: Re: Multiple realms
I am not sure I fully understand the situation, but are the appropriate
[domain_realm] mappings in the krb5.conf?
-Ben Kaduk
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Multiple realms
Hi All,
Earlier we were using C++ and curl libraries to support Kerberos for Hadoop.
Now we need to provide the same with Java.
I am using following code to interact with Kerberos enabled Hadoop.
UserGroupInformation.loginUserFromKeytab(hdfs/pivhdsne@new.commailto:hdfs/pivhdsne@new.com,/root/hdfsNew.keytab);
System.out.println(Obtained..\n\n\n\n);
URI uri = URI.create(webhdfs://IP:50070 );
FileSystem fs = FileSystem.get(uri, configuration);
if (fs.mkdirs(new Path(/testKerbhdfsUser)))
System.out.print(Directory created...);
It working fine but when the customer wishes to use multiple realms then my
code fails.
With the below conf, code works fine when using NEW.COM but fails if using
EXAMPLE.COM.
How I can connect using multiple realms using same krb5.conf but different
keytab and different principals.
Krb5.conf
[libdefaults]
default_realm = NEW.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 1d
renew_lifetime = 7d
forwardable = true
[realms]
NEW.COM = {
kdc = bharath.kdc
admin_server = bharath.kdc
}
EXAMPLE.COM = {
kdc = wckdserver.krbnet
admin_server = wckdserver.krbnet
}
Any help is much appreciated.
Thanks,
Bharath
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms
I am not sure I fully understand the situation, but are the appropriate [domain_realm] mappings in the krb5.conf? -Ben Kaduk Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Multiple Realms - Filtering or pass-through ?
Hi All,
I'm having a lot of issues in regards to using two realms in CentOS 6.5.
Here is the information:
Active Directory (realm: USER.COMPANY.COM http://user.company.com/ )
Kerberos 5 KDC (realm: SERVICE.COMPANY.COM http://service.company.com/ )
All my USERS are in USER.COMPANY.COM http://user.company.com/ and
SERVICES (aka: postgres, MySQL, etc) are in SERVICE.COMPANY.COM
http://service.company.com/
I need to be able to have the users and services kinit without the Fully
Qualified Realm (FQR)
Example:
root $ su - postgres
postgres $ kinit
Password for postg...@service.company.com
mailto:postg...@service.company.com :
root $ su - someuser
someuser $ kinit
Password for postg...@user.company.com mailto:postg...@user.company.com :
Reality:
root $ su - postgres
postgres $ kinit
kinit: Client 'postg...@user.company.com mailto:postg...@user.company.com
' not found in Kerberos database while getting initial credentials
I would like it to fall to the next Realm if the first does not have records
of the credentials.
I have been able to do this for shell logins using SSSD, since I have rules
in place that will check an ldap flag for users vs. services. However kinit
doesn't use PAM(lib_sssd) in anyway to apply the rules after login (su, ksu,
etc).
Please let me know if you have any suggestions on how this can be
accomplished.
Thanks in advance!
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm= USER.COMPANY.COM http://user.company.com/
dns_lookup_realm = True
dns_lookup_kdc = True
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = True
verify_ap_req_nofail = True
udp_preference_limit = 1
debug= True
[realms]
SERVICE.COMPANY.COM http://service.company.com/ = {
}
USER.COMPANY.COM http://user.company.com/ = {
}
[domain_realm]
.service.company.com http://service.company.com/ = SERVICE.COMPANY.COM
http://service.company.com/
service.company.com http://service.company.com/ = SERVICE.COMPANY.COM
http://service.company.com/
.user.company.com http://user.company.com/ = USER.COMPANY.COM
http://user.company.com/
user.company.com http://user.company.com/ = USER.COMPANY.COM
http://user.company.com/
[appdefaults]
autologin= True
forward = True
encrypt = True
pam = {
debug = True
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = True
krb4_convert= False
}
[capaths]
SERVICE.COMPANY.COM http://service.company.com/ = {
USER.COMPANY.COM http://user.company.com/ = .
}
USER.COMPANY.COM http://user.company.com/ = {
SERVICE.COMPANY.COM http://service.company.com/ = .
}
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Whats necessary to make wallet serve multiple realms?
Hi, I wonder what`s the easiest way to get this done? I assume I need to compile the server side with appropriate suffixes per realm and refer to them by wallet_type on the client? What would be a clever place to set WALLET_CONFIG for the different realms on the server? Thanks for help. Tom -- View this message in context: http://kerberos.996246.n3.nabble.com/Whats-necessary-to-make-wallet-serve-multiple-realms-tp38451.html Sent from the Kerberos - General mailing list archive at Nabble.com. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Whats necessary to make wallet serve multiple realms?
Tom_Krauss thomas.kra...@itserv.de writes: I wonder what`s the easiest way to get this done? I assume I need to compile the server side with appropriate suffixes per realm and refer to them by wallet_type on the client? That would probably be the easiest way to handle it, since right now all of the keytab object implementation can only be configured to talk to a single realm. What would be a clever place to set WALLET_CONFIG for the different realms on the server? Probably it makes sense to do this in the wallet-backend script. Look for objects of type keytab and then extract the realm from the principal name, use that to determine the WALLET_CONFIG to set, and then invoke the normal Perl modules but with the principal modified to not include the realm. I hope to have time in the next three to six months to do another major cleanup and partial rewrite of wallet and will try to keep this use case in mind when I do to make it a bit easier. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
Thanks to everyone for their help
I have it working nicely now with a kadmin process for each realm.
I hacked up the kadmind init script a little bit to loop over a list of
realms and call kadmind -r REALM for each entry. Everything else is
defined in kdc.conf and in SRV records.
For anyone doing future googling.
/etc/krb5.conf
snipit
[realms]
DM.EXAMPLE.COM = {
admin_server = auth1.dm.example.com:7490
auth_to_local = RULE:[1:$1@$0]
auth_to_local = RULE:[2:$1@$0]
default_domain = dm.example.com
}
/snipit
/var/lib/kerberos/krb5kdc/kdc.conf
snipit
[realms]
DM.EXAMPLE.COM = {
kadmind_port = 7490
kpasswd_port = 4640
}
/snipit
zone entries
snipit
_kerberos-adm._tcp IN SRV 0 0 7490 auth1.dm.example.com.
_kpasswd._udp IN SRV 0 0 4640 auth1.dm.example.com.
snipit
Tom
On 05/28/2013 05:44 PM, Tim Mooney wrote:
In regard to: Re: Multiple realms served by single kadmind, Tom Parker
said...:
Thanks for the information. How can I tell my clients to use a custom
port for password change? The man pages I have don't mention this and
they tell me erroneously that kadmind will server multiple realms (This
I assume is a suse packaging problem, not a kerberos problem)
We've been doing what you're asking about for quite a few years -- one KDC
but about a dozen kadminds.
Your /etc/krb5.conf on your clients will look something like
REALM1.EXAMPLE.COM = {
kdc = kdc1.realm1.example.com:88
kdc = kdc2.realm1.example.com:88
admin_server = kdc1.realm1.example.com:911
default_domain = realm1.example.com
}
REALM2.EXAMPLE.COM = {
kdc = kdc1.realm2.example.com:88
kdc = kdc2.realm2.example.com:88
admin_server = kdc1.realm2.example.com:912
default_domain = realm2.example.com
}
with additional stanzas for each realm, with the port listed.
Then, the [realms] section of your kdc.conf will contain a line for
kadmind_port for each realm, e.g.
[realms]
REALM1.EXAMPLE.COM = {
# other standard settings
kadmind_port = 911
}
REALM2.EXAMPLE.COM = {
# other standard settings
kadmind_port = 912
}
We're also using separate kpropd processes for each realm on the
secondaries, with each kpropd on its own port. That's specified via
the '-P portnum' option when starting kpropd. It does mean that we
disable the standard kpropd startup script and have one-per-realm
(/etc/init.d/kprop_REALM1, /etc/init.d/kprop_REALM2, etc).
We're not using incremental propagation, so things might be different
there. Instead, we only do propagation when the dump file has changed
from the checksum from the previous dump file.
Tim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
On 05/28/2013 12:57 AM, Tom Parker wrote: Thanks for the information. How can I tell my clients to use a custom port for password change? In the realm section, you say kpasswd_server = hostname:port. If you're using SRV records, you use the _kpasswd._udp.domain record. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
In regard to: Re: Multiple realms served by single kadmind, Tom Parker said...:
Thanks for the information. How can I tell my clients to use a custom
port for password change? The man pages I have don't mention this and
they tell me erroneously that kadmind will server multiple realms (This
I assume is a suse packaging problem, not a kerberos problem)
We've been doing what you're asking about for quite a few years -- one KDC
but about a dozen kadminds.
Your /etc/krb5.conf on your clients will look something like
REALM1.EXAMPLE.COM = {
kdc = kdc1.realm1.example.com:88
kdc = kdc2.realm1.example.com:88
admin_server = kdc1.realm1.example.com:911
default_domain = realm1.example.com
}
REALM2.EXAMPLE.COM = {
kdc = kdc1.realm2.example.com:88
kdc = kdc2.realm2.example.com:88
admin_server = kdc1.realm2.example.com:912
default_domain = realm2.example.com
}
with additional stanzas for each realm, with the port listed.
Then, the [realms] section of your kdc.conf will contain a line for
kadmind_port for each realm, e.g.
[realms]
REALM1.EXAMPLE.COM = {
# other standard settings
kadmind_port = 911
}
REALM2.EXAMPLE.COM = {
# other standard settings
kadmind_port = 912
}
We're also using separate kpropd processes for each realm on the
secondaries, with each kpropd on its own port. That's specified via
the '-P portnum' option when starting kpropd. It does mean that we
disable the standard kpropd startup script and have one-per-realm
(/etc/init.d/kprop_REALM1, /etc/init.d/kprop_REALM2, etc).
We're not using incremental propagation, so things might be different
there. Instead, we only do propagation when the dump file has changed
from the checksum from the previous dump file.
Tim
--
Tim Mooney moo...@dogbert.cc.nrealm2.nodak.edu
Enterprise Computing Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
On 05/24/2013 02:28 PM, Tom Parker wrote: Is it possible to server several realms from a single kadmind process? With the the krb5kdc process it's as simple as specifying multiple -r REALM flags on the command line? We do not have that feature currently; you have to use separate kadmind processes (and therefore different ports) for different realms. (Apologies for the slow response.) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
Hi Greg Thanks for the information. How can I tell my clients to use a custom port for password change? The man pages I have don't mention this and they tell me erroneously that kadmind will server multiple realms (This I assume is a suse packaging problem, not a kerberos problem) Tom On Tue 28 May 2013 12:44:52 AM EDT, Greg Hudson wrote: On 05/24/2013 02:28 PM, Tom Parker wrote: Is it possible to server several realms from a single kadmind process? With the the krb5kdc process it's as simple as specifying multiple -r REALM flags on the command line? We do not have that feature currently; you have to use separate kadmind processes (and therefore different ports) for different realms. (Apologies for the slow response.) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
Hello. I have had no response to this post. Does anyone have any suggestions on how I can serve multiple realms from a single kadmind. Thanks. From: Tom Parker Sent: Tuesday, May 21, 2013 11:55 AM To: kerberos@mit.edu Subject: Multiple realms served by single kadmind Hello Is it possible to server several realms from a single kadmind process? With the the krb5kdc process it's as simple as specifying multiple -r REALM flags on the command line? I have a server that needs to support 4 separate realms and the kdc is working fine but whenever users try to change their passwords they get: Enter new password: Enter it again: Authentication error: Failed reading application request Any help would be appreciated. Thanks Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Multiple realms served by single kadmind
Hello Is it possible to server several realms from a single kadmind process? With the the krb5kdc process it's as simple as specifying multiple -r REALM flags on the command line? I have a server that needs to support 4 separate realms and the kdc is working fine but whenever users try to change their passwords they get: Enter new password: Enter it again: Authentication error: Failed reading application request Any help would be appreciated. Thanks Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms in one krb5.conf
James Chavez wrote: Hello list, I have a question that I need assistance with. I have a Windows 2003 AD setup. The forest consists of 3 domains. So the we will say the name is example.com and there are 3 domains. america.example.com asia.example.com europe.example.com Is it possible to configure the krb5.conf on a station so that kerberos can service login requests for each of the 3 domains? Maybe, but it is not clear what you mean. Is this as simple as adding an entry for each realm in the realms section of the krb5.conf file. That is part of it, although DNS could be used to find the realms. You say logins, so I as assuming that the station is Unix based. Login would use PAM with a pam_krb5, and the station above will need to have a principal in one of the realms and a keytab to match. But if a user is in one AD doamin and the server is in a different AD domain, this would be cross realm and the pam_krb5 would have to so some additional checks. Kerberos only does authentication you still need to authorize the user to login. Start here, as this gives the basic concepts: http://technet.microsoft.com/en-us/library/bb742433.aspx Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Multiple Realms in Apache mod_auth_kerb
Hello
I have a problem to get my apache to work with 2 Domains test1 and test2 with
kerberos The Site should be accessible by users in both domains. Is there a
trust needed between the domains ? ( I can't do a trust between the domains for
securiy reasons )
What steps are needed to get this work ?
kerberos.conf in apache
Directory /
Options FollowSymLinks
AllowOverride None
AuthType Kerberos
AuthName Kerberos Login
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthoritative On
KrbVerifyKDC On
KrbAuthRealms TEST1.LOCAL TEST2.LOCAL
Krb5KeyTab /etc/apache2/test.keytab
require valid-user
/Directory
krb5.conf
[realms]
TEST1.LOCAL = {
kdc = kdc.test1.local
admin_server = kdc.test1.local
}
TEST2.LOCAL = {
kdc = kdc.test2.local
admin_server = kdc.test2.local
}
_
Connect to the next generation of MSN Messenger
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Problems with Multiple Realms on One KDC
I'm having a bit of a mental block with trying to establish multiple
realms on a single KDC. I have everything setup in my kdc.conf and
krb5.conf files but it's like the kdb5_util isnt reading the kdc.conf file.
Here's an excerpt from my kdc.conf file:
-- /etc/krb5/kdc.conf --
[kdcdefaults]
kdc_ports = 88
[realms]
realm1 = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5kdc/principal
admin_database_name = /var/krb5kdc/principal.kadm5
admin_database_lockfile = /var/krb5kdc/principal.kadm5.lock
admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
acl_file = /var/krb5kdc/kadm5.acl
dict_file = /var/krb5kdc/kadm5.dict
key_stash_file = /var/krb5kdc/.k5.realm1
kadmin_port = 748
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
}
realm2 = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5kdc/realm2/principal
admin_database_name = /var/krb5kdc/realm2/principal.kadm5
admin_database_lockfile = /var/krb5kdc/realm2/principal.kadm5.lock
admin_keytab = FILE:/var/krb5kdc/realm2/kadm5.keytab
acl_file = /var/krb5kdc/realm2/kadm5.acl
dict_file = /var/krb5kdc/kadm5.dict
key_stash_file = /var/krb5kdc/realm2/.k5.realm2
kadmin_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
-- /etc/krb5/kdc.conf --
Here's an excerpt from my krb5.conf file:
- /etc/krb5/krb5.conf -
[libdefaults]
ticket_lifetime = 600
default_realm = realm1
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
realm1 = {
kdc = kdc1:88
kdc = kdc2:88
admin_server = kdc1:748
default_domain = csit.fsu.edu
}
realm2 = {
kdc = kdc1:88
kdc = kdc2:88
admin_server = kdc1:749
default_domain = csit.fsu.edu
}
[domain_realm]
.csit.fsu.edu = realm1
csit.fsu.edu = realm1
[kdc]
profile = /etc/krb5/kdc.conf
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
[login]
krb4_convert = false
krb4_get_tickets = false
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
kinit = {
forwardable = true
renewable = true
}
- /etc/krb5/krb5.conf -
I've created the database with kdb5_util -r realm2 -d
/var/krb5kdc/realm2/principal -sf /var/krb5kdc/realm2/.k5.realm2
create -s
Yet when I try to launch krb5kdc -r realm1 -r realm2 I get this:
krb5kdc: Cannot find/read stored master key - while fetching master key
K/M for realm realm2
Realm #1 works fine by itself, but when I try to bring the second one
in, that's when all the problems occur.
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
Single ldap installation with users from multiple realms... or possibly failover from one realm to the next
I've got an interesting dilema. I've got users from two kerberos realms... one of them is under my control and the other is an active directory under control of central IT. They won't modify the AD to have any useful unix attributes, so I'm stuck building my own ldap solution. Is there a way I can use a combination of nss_ldap and something like libpam_krb5/libpam_ldap to achive the following for local logins? I don't think it is an issue if they already have a TGT. login: localuser password for [EMAIL PROTECTED]: for users with krb5PrincipalName/userPasswd in our localrealm and: login: remoteuser password for [EMAIL PROTECTED]: for users with in the remote/central realm? I'd actually love to find a way to try [EMAIL PROTECTED] first then try [EMAIL PROTECTED] second, but I'm not seeing a clear path without writing my own pam module. For clarity here's the example users: dn: uid=localuser,ou=People,dc=localrealm uid: localuser cn: Local Users objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: krb5Principal objectClass: shadowAccount krb5PrincipalName: [EMAIL PROTECTED] loginShell: /bin/bash uidNumber: 1118 gidNumber: 200 homeDirectory: /afs/localrealm/user/localuser gecos: Local User userPassword:: e0tFUkJFUk9TfW1jY2xpbWFuQENTLlRUVS5FRFU= (actually [EMAIL PROTECTED]) dn: uid=remoteuser,ou=People,dc=localrealm uid: remoteuser cn: Remote User objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: krb5Principal objectClass: shadowAccount krb5PrincipalName: [EMAIL PROTECTED] loginShell: /bin/bash uidNumber: 1119 gidNumber: 200 homeDirectory: /afs/localrealm/user/remoteuser gecos: Remote User userPassword:: e0tFUkJFUk9TfW1jY2xpbWFuQENTLlRUVS5FRFU= (actually [EMAIL PROTECTED]) Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Multiple realms
Am I reading the docs correctly? The man page of krb5kdc states that there can be only one realm per TCP/UDP port. Am I reading it right? Nix. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms
The following is from krb5kdc man page: ... krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per- realm parameters may be specified in the kdc.conf file. ... Vlady On Thu, 10 Jul 2003 14:45:05 +0200 Nikola Milutinovic [EMAIL PROTECTED] wrote: Am I reading the docs correctly? The man page of krb5kdc states that there can be only one realm per TCP/UDP port. Am I reading it right? Nix. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms
The multi-realm support in MIT Kerberos is kind of buggy. It's not something we really test. Don't be surprised if the docs don't correspond to the observed behavior. If you do figure out what works and what doesn't--especially if you figure out why things break--please let us know. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
