RE: Multiple realms
Hi Ben, I have java client to connect to Kerberos enabled Hadoop. Client should be able to connect different realms at the same time. I am using following code to interact with Kerberos enabled Hadoop. UserGroupInformation.loginUserFromKeytab(hdfs/pivhdsne@new.com,/root/hdfsNew.keytab); System.out.println(Obtained..\n\n\n\n); URI uri = URI.create(webhdfs://IP:50070 ); FileSystem fs = FileSystem.get(uri, configuration); if (fs.mkdirs(new Path(/testKerbhdfsUser))) System.out.print(Directory created...); The API is recognizing only default_realm. Krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm=NEW.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 1m renew_lifetime = 7d forwardable = true default_ccache_name =FILE:/tmp/hello/tktj0gw2g [realms] NEW.COM = { kdc = bharath.kdc admin_server = bharath.kdc } EXAMPLE.COM = { kdc = wckdserver.krbnet admin_server = wckdserver.krbnet } [domain_realm] .example.com = EXAMPLE.COM .new.com = NEW.COM pivhdsne.localdomain = EXAMPLE.COM pivhdsne.rupam = NEW.COM Thanks, Bharath -Original Message- From: Benjamin Kaduk [mailto:ka...@mit.edu] Sent: Friday, October 17, 2014 9:49 PM To: Phatak, Bharath Cc: kerberos@mit.edu Subject: Re: Multiple realms I am not sure I fully understand the situation, but are the appropriate [domain_realm] mappings in the krb5.conf? -Ben Kaduk Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Multiple realms
Hi All, Earlier we were using C++ and curl libraries to support Kerberos for Hadoop. Now we need to provide the same with Java. I am using following code to interact with Kerberos enabled Hadoop. UserGroupInformation.loginUserFromKeytab(hdfs/pivhdsne@new.commailto:hdfs/pivhdsne@new.com,/root/hdfsNew.keytab); System.out.println(Obtained..\n\n\n\n); URI uri = URI.create(webhdfs://IP:50070 ); FileSystem fs = FileSystem.get(uri, configuration); if (fs.mkdirs(new Path(/testKerbhdfsUser))) System.out.print(Directory created...); It working fine but when the customer wishes to use multiple realms then my code fails. With the below conf, code works fine when using NEW.COM but fails if using EXAMPLE.COM. How I can connect using multiple realms using same krb5.conf but different keytab and different principals. Krb5.conf [libdefaults] default_realm = NEW.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 1d renew_lifetime = 7d forwardable = true [realms] NEW.COM = { kdc = bharath.kdc admin_server = bharath.kdc } EXAMPLE.COM = { kdc = wckdserver.krbnet admin_server = wckdserver.krbnet } Any help is much appreciated. Thanks, Bharath Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms
I am not sure I fully understand the situation, but are the appropriate [domain_realm] mappings in the krb5.conf? -Ben Kaduk Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Multiple Realms - Filtering or pass-through ?
Hi All, I'm having a lot of issues in regards to using two realms in CentOS 6.5. Here is the information: Active Directory (realm: USER.COMPANY.COM http://user.company.com/ ) Kerberos 5 KDC (realm: SERVICE.COMPANY.COM http://service.company.com/ ) All my USERS are in USER.COMPANY.COM http://user.company.com/ and SERVICES (aka: postgres, MySQL, etc) are in SERVICE.COMPANY.COM http://service.company.com/ I need to be able to have the users and services kinit without the Fully Qualified Realm (FQR) Example: root $ su - postgres postgres $ kinit Password for postg...@service.company.com mailto:postg...@service.company.com : root $ su - someuser someuser $ kinit Password for postg...@user.company.com mailto:postg...@user.company.com : Reality: root $ su - postgres postgres $ kinit kinit: Client 'postg...@user.company.com mailto:postg...@user.company.com ' not found in Kerberos database while getting initial credentials I would like it to fall to the next Realm if the first does not have records of the credentials. I have been able to do this for shell logins using SSSD, since I have rules in place that will check an ldap flag for users vs. services. However kinit doesn't use PAM(lib_sssd) in anyway to apply the rules after login (su, ksu, etc). Please let me know if you have any suggestions on how this can be accomplished. Thanks in advance! /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm= USER.COMPANY.COM http://user.company.com/ dns_lookup_realm = True dns_lookup_kdc = True ticket_lifetime = 24h renew_lifetime = 7d forwardable = True verify_ap_req_nofail = True udp_preference_limit = 1 debug= True [realms] SERVICE.COMPANY.COM http://service.company.com/ = { } USER.COMPANY.COM http://user.company.com/ = { } [domain_realm] .service.company.com http://service.company.com/ = SERVICE.COMPANY.COM http://service.company.com/ service.company.com http://service.company.com/ = SERVICE.COMPANY.COM http://service.company.com/ .user.company.com http://user.company.com/ = USER.COMPANY.COM http://user.company.com/ user.company.com http://user.company.com/ = USER.COMPANY.COM http://user.company.com/ [appdefaults] autologin= True forward = True encrypt = True pam = { debug = True ticket_lifetime = 24h renew_lifetime = 7d forwardable = True krb4_convert= False } [capaths] SERVICE.COMPANY.COM http://service.company.com/ = { USER.COMPANY.COM http://user.company.com/ = . } USER.COMPANY.COM http://user.company.com/ = { SERVICE.COMPANY.COM http://service.company.com/ = . } Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Whats necessary to make wallet serve multiple realms?
Hi, I wonder what`s the easiest way to get this done? I assume I need to compile the server side with appropriate suffixes per realm and refer to them by wallet_type on the client? What would be a clever place to set WALLET_CONFIG for the different realms on the server? Thanks for help. Tom -- View this message in context: http://kerberos.996246.n3.nabble.com/Whats-necessary-to-make-wallet-serve-multiple-realms-tp38451.html Sent from the Kerberos - General mailing list archive at Nabble.com. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Whats necessary to make wallet serve multiple realms?
Tom_Krauss thomas.kra...@itserv.de writes: I wonder what`s the easiest way to get this done? I assume I need to compile the server side with appropriate suffixes per realm and refer to them by wallet_type on the client? That would probably be the easiest way to handle it, since right now all of the keytab object implementation can only be configured to talk to a single realm. What would be a clever place to set WALLET_CONFIG for the different realms on the server? Probably it makes sense to do this in the wallet-backend script. Look for objects of type keytab and then extract the realm from the principal name, use that to determine the WALLET_CONFIG to set, and then invoke the normal Perl modules but with the principal modified to not include the realm. I hope to have time in the next three to six months to do another major cleanup and partial rewrite of wallet and will try to keep this use case in mind when I do to make it a bit easier. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
Thanks to everyone for their help I have it working nicely now with a kadmin process for each realm. I hacked up the kadmind init script a little bit to loop over a list of realms and call kadmind -r REALM for each entry. Everything else is defined in kdc.conf and in SRV records. For anyone doing future googling. /etc/krb5.conf snipit [realms] DM.EXAMPLE.COM = { admin_server = auth1.dm.example.com:7490 auth_to_local = RULE:[1:$1@$0] auth_to_local = RULE:[2:$1@$0] default_domain = dm.example.com } /snipit /var/lib/kerberos/krb5kdc/kdc.conf snipit [realms] DM.EXAMPLE.COM = { kadmind_port = 7490 kpasswd_port = 4640 } /snipit zone entries snipit _kerberos-adm._tcp IN SRV 0 0 7490 auth1.dm.example.com. _kpasswd._udp IN SRV 0 0 4640 auth1.dm.example.com. snipit Tom On 05/28/2013 05:44 PM, Tim Mooney wrote: In regard to: Re: Multiple realms served by single kadmind, Tom Parker said...: Thanks for the information. How can I tell my clients to use a custom port for password change? The man pages I have don't mention this and they tell me erroneously that kadmind will server multiple realms (This I assume is a suse packaging problem, not a kerberos problem) We've been doing what you're asking about for quite a few years -- one KDC but about a dozen kadminds. Your /etc/krb5.conf on your clients will look something like REALM1.EXAMPLE.COM = { kdc = kdc1.realm1.example.com:88 kdc = kdc2.realm1.example.com:88 admin_server = kdc1.realm1.example.com:911 default_domain = realm1.example.com } REALM2.EXAMPLE.COM = { kdc = kdc1.realm2.example.com:88 kdc = kdc2.realm2.example.com:88 admin_server = kdc1.realm2.example.com:912 default_domain = realm2.example.com } with additional stanzas for each realm, with the port listed. Then, the [realms] section of your kdc.conf will contain a line for kadmind_port for each realm, e.g. [realms] REALM1.EXAMPLE.COM = { # other standard settings kadmind_port = 911 } REALM2.EXAMPLE.COM = { # other standard settings kadmind_port = 912 } We're also using separate kpropd processes for each realm on the secondaries, with each kpropd on its own port. That's specified via the '-P portnum' option when starting kpropd. It does mean that we disable the standard kpropd startup script and have one-per-realm (/etc/init.d/kprop_REALM1, /etc/init.d/kprop_REALM2, etc). We're not using incremental propagation, so things might be different there. Instead, we only do propagation when the dump file has changed from the checksum from the previous dump file. Tim Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
On 05/28/2013 12:57 AM, Tom Parker wrote: Thanks for the information. How can I tell my clients to use a custom port for password change? In the realm section, you say kpasswd_server = hostname:port. If you're using SRV records, you use the _kpasswd._udp.domain record. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
In regard to: Re: Multiple realms served by single kadmind, Tom Parker said...: Thanks for the information. How can I tell my clients to use a custom port for password change? The man pages I have don't mention this and they tell me erroneously that kadmind will server multiple realms (This I assume is a suse packaging problem, not a kerberos problem) We've been doing what you're asking about for quite a few years -- one KDC but about a dozen kadminds. Your /etc/krb5.conf on your clients will look something like REALM1.EXAMPLE.COM = { kdc = kdc1.realm1.example.com:88 kdc = kdc2.realm1.example.com:88 admin_server = kdc1.realm1.example.com:911 default_domain = realm1.example.com } REALM2.EXAMPLE.COM = { kdc = kdc1.realm2.example.com:88 kdc = kdc2.realm2.example.com:88 admin_server = kdc1.realm2.example.com:912 default_domain = realm2.example.com } with additional stanzas for each realm, with the port listed. Then, the [realms] section of your kdc.conf will contain a line for kadmind_port for each realm, e.g. [realms] REALM1.EXAMPLE.COM = { # other standard settings kadmind_port = 911 } REALM2.EXAMPLE.COM = { # other standard settings kadmind_port = 912 } We're also using separate kpropd processes for each realm on the secondaries, with each kpropd on its own port. That's specified via the '-P portnum' option when starting kpropd. It does mean that we disable the standard kpropd startup script and have one-per-realm (/etc/init.d/kprop_REALM1, /etc/init.d/kprop_REALM2, etc). We're not using incremental propagation, so things might be different there. Instead, we only do propagation when the dump file has changed from the checksum from the previous dump file. Tim -- Tim Mooney moo...@dogbert.cc.nrealm2.nodak.edu Enterprise Computing Infrastructure 701-231-1076 (Voice) Room 242-J6, IACC Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
On 05/24/2013 02:28 PM, Tom Parker wrote: Is it possible to server several realms from a single kadmind process? With the the krb5kdc process it's as simple as specifying multiple -r REALM flags on the command line? We do not have that feature currently; you have to use separate kadmind processes (and therefore different ports) for different realms. (Apologies for the slow response.) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
Hi Greg Thanks for the information. How can I tell my clients to use a custom port for password change? The man pages I have don't mention this and they tell me erroneously that kadmind will server multiple realms (This I assume is a suse packaging problem, not a kerberos problem) Tom On Tue 28 May 2013 12:44:52 AM EDT, Greg Hudson wrote: On 05/24/2013 02:28 PM, Tom Parker wrote: Is it possible to server several realms from a single kadmind process? With the the krb5kdc process it's as simple as specifying multiple -r REALM flags on the command line? We do not have that feature currently; you have to use separate kadmind processes (and therefore different ports) for different realms. (Apologies for the slow response.) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms served by single kadmind
Hello. I have had no response to this post. Does anyone have any suggestions on how I can serve multiple realms from a single kadmind. Thanks. From: Tom Parker Sent: Tuesday, May 21, 2013 11:55 AM To: kerberos@mit.edu Subject: Multiple realms served by single kadmind Hello Is it possible to server several realms from a single kadmind process? With the the krb5kdc process it's as simple as specifying multiple -r REALM flags on the command line? I have a server that needs to support 4 separate realms and the kdc is working fine but whenever users try to change their passwords they get: Enter new password: Enter it again: Authentication error: Failed reading application request Any help would be appreciated. Thanks Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Multiple realms served by single kadmind
Hello Is it possible to server several realms from a single kadmind process? With the the krb5kdc process it's as simple as specifying multiple -r REALM flags on the command line? I have a server that needs to support 4 separate realms and the kdc is working fine but whenever users try to change their passwords they get: Enter new password: Enter it again: Authentication error: Failed reading application request Any help would be appreciated. Thanks Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms in one krb5.conf
James Chavez wrote: Hello list, I have a question that I need assistance with. I have a Windows 2003 AD setup. The forest consists of 3 domains. So the we will say the name is example.com and there are 3 domains. america.example.com asia.example.com europe.example.com Is it possible to configure the krb5.conf on a station so that kerberos can service login requests for each of the 3 domains? Maybe, but it is not clear what you mean. Is this as simple as adding an entry for each realm in the realms section of the krb5.conf file. That is part of it, although DNS could be used to find the realms. You say logins, so I as assuming that the station is Unix based. Login would use PAM with a pam_krb5, and the station above will need to have a principal in one of the realms and a keytab to match. But if a user is in one AD doamin and the server is in a different AD domain, this would be cross realm and the pam_krb5 would have to so some additional checks. Kerberos only does authentication you still need to authorize the user to login. Start here, as this gives the basic concepts: http://technet.microsoft.com/en-us/library/bb742433.aspx Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Multiple Realms in Apache mod_auth_kerb
Hello I have a problem to get my apache to work with 2 Domains test1 and test2 with kerberos The Site should be accessible by users in both domains. Is there a trust needed between the domains ? ( I can't do a trust between the domains for securiy reasons ) What steps are needed to get this work ? kerberos.conf in apache Directory / Options FollowSymLinks AllowOverride None AuthType Kerberos AuthName Kerberos Login KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthoritative On KrbVerifyKDC On KrbAuthRealms TEST1.LOCAL TEST2.LOCAL Krb5KeyTab /etc/apache2/test.keytab require valid-user /Directory krb5.conf [realms] TEST1.LOCAL = { kdc = kdc.test1.local admin_server = kdc.test1.local } TEST2.LOCAL = { kdc = kdc.test2.local admin_server = kdc.test2.local } _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Problems with Multiple Realms on One KDC
I'm having a bit of a mental block with trying to establish multiple realms on a single KDC. I have everything setup in my kdc.conf and krb5.conf files but it's like the kdb5_util isnt reading the kdc.conf file. Here's an excerpt from my kdc.conf file: -- /etc/krb5/kdc.conf -- [kdcdefaults] kdc_ports = 88 [realms] realm1 = { profile = /etc/krb5/krb5.conf database_name = /var/krb5kdc/principal admin_database_name = /var/krb5kdc/principal.kadm5 admin_database_lockfile = /var/krb5kdc/principal.kadm5.lock admin_keytab = FILE:/var/krb5kdc/kadm5.keytab acl_file = /var/krb5kdc/kadm5.acl dict_file = /var/krb5kdc/kadm5.dict key_stash_file = /var/krb5kdc/.k5.realm1 kadmin_port = 748 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal } realm2 = { profile = /etc/krb5/krb5.conf database_name = /var/krb5kdc/realm2/principal admin_database_name = /var/krb5kdc/realm2/principal.kadm5 admin_database_lockfile = /var/krb5kdc/realm2/principal.kadm5.lock admin_keytab = FILE:/var/krb5kdc/realm2/kadm5.keytab acl_file = /var/krb5kdc/realm2/kadm5.acl dict_file = /var/krb5kdc/kadm5.dict key_stash_file = /var/krb5kdc/realm2/.k5.realm2 kadmin_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } -- /etc/krb5/kdc.conf -- Here's an excerpt from my krb5.conf file: - /etc/krb5/krb5.conf - [libdefaults] ticket_lifetime = 600 default_realm = realm1 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] realm1 = { kdc = kdc1:88 kdc = kdc2:88 admin_server = kdc1:748 default_domain = csit.fsu.edu } realm2 = { kdc = kdc1:88 kdc = kdc2:88 admin_server = kdc1:749 default_domain = csit.fsu.edu } [domain_realm] .csit.fsu.edu = realm1 csit.fsu.edu = realm1 [kdc] profile = /etc/krb5/kdc.conf [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log [login] krb4_convert = false krb4_get_tickets = false [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false kinit = { forwardable = true renewable = true } - /etc/krb5/krb5.conf - I've created the database with kdb5_util -r realm2 -d /var/krb5kdc/realm2/principal -sf /var/krb5kdc/realm2/.k5.realm2 create -s Yet when I try to launch krb5kdc -r realm1 -r realm2 I get this: krb5kdc: Cannot find/read stored master key - while fetching master key K/M for realm realm2 Realm #1 works fine by itself, but when I try to bring the second one in, that's when all the problems occur. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Single ldap installation with users from multiple realms... or possibly failover from one realm to the next
I've got an interesting dilema. I've got users from two kerberos realms... one of them is under my control and the other is an active directory under control of central IT. They won't modify the AD to have any useful unix attributes, so I'm stuck building my own ldap solution. Is there a way I can use a combination of nss_ldap and something like libpam_krb5/libpam_ldap to achive the following for local logins? I don't think it is an issue if they already have a TGT. login: localuser password for [EMAIL PROTECTED]: for users with krb5PrincipalName/userPasswd in our localrealm and: login: remoteuser password for [EMAIL PROTECTED]: for users with in the remote/central realm? I'd actually love to find a way to try [EMAIL PROTECTED] first then try [EMAIL PROTECTED] second, but I'm not seeing a clear path without writing my own pam module. For clarity here's the example users: dn: uid=localuser,ou=People,dc=localrealm uid: localuser cn: Local Users objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: krb5Principal objectClass: shadowAccount krb5PrincipalName: [EMAIL PROTECTED] loginShell: /bin/bash uidNumber: 1118 gidNumber: 200 homeDirectory: /afs/localrealm/user/localuser gecos: Local User userPassword:: e0tFUkJFUk9TfW1jY2xpbWFuQENTLlRUVS5FRFU= (actually [EMAIL PROTECTED]) dn: uid=remoteuser,ou=People,dc=localrealm uid: remoteuser cn: Remote User objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: krb5Principal objectClass: shadowAccount krb5PrincipalName: [EMAIL PROTECTED] loginShell: /bin/bash uidNumber: 1119 gidNumber: 200 homeDirectory: /afs/localrealm/user/remoteuser gecos: Remote User userPassword:: e0tFUkJFUk9TfW1jY2xpbWFuQENTLlRUVS5FRFU= (actually [EMAIL PROTECTED]) Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Multiple realms
Am I reading the docs correctly? The man page of krb5kdc states that there can be only one realm per TCP/UDP port. Am I reading it right? Nix. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms
The following is from krb5kdc man page: ... krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per- realm parameters may be specified in the kdc.conf file. ... Vlady On Thu, 10 Jul 2003 14:45:05 +0200 Nikola Milutinovic [EMAIL PROTECTED] wrote: Am I reading the docs correctly? The man page of krb5kdc states that there can be only one realm per TCP/UDP port. Am I reading it right? Nix. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Multiple realms
The multi-realm support in MIT Kerberos is kind of buggy. It's not something we really test. Don't be surprised if the docs don't correspond to the observed behavior. If you do figure out what works and what doesn't--especially if you figure out why things break--please let us know. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos