Add second realm to existing KDC ?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Add second realm to existing KDC ?

Matt Lists
Hi, we've been running a very simple MIT krb5 KDC for a single realm for
years with no problems.  Now, we'd like to add a second realm to the
mix.  Can it easily be added to the same KDC?   We don't need
cross-realm trust or anything.

If possible, then what would be the steps?  Add new realm to krb5.conf &
kdc.conf ?  Create new master database?  Or could the existing database
be used?  New tgt for the new domain?  What else?

Sorry for basic question, but could not find any info online.

Thanks,
chris
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Add second realm to existing KDC ?

Greg Hudson
On 9/10/19 12:25 PM, chris wrote:
> Hi, we've been running a very simple MIT krb5 KDC for a single realm for
> years with no problems.  Now, we'd like to add a second realm to the
> mix.  Can it easily be added to the same KDC?   We don't need
> cross-realm trust or anything.

To a rough approximation, each realm needs its own KDC and kadmind
processes, and its own database.  They can run on the same host on
different ports.

krb5kdc can be instructed to serve multiple realms (by passing it
multiple -r options on the command line), but kadmind does not have the
same support.  You would still need separate databases for each realm.

> If possible, then what would be the steps?  Add new realm to krb5.conf &
> kdc.conf ?  Create new master database?  Or could the existing database
> be used?  New tgt for the new domain?  What else?

Assuming you are co-hosting the realms:

Add the new realm specification to the config files.  Make sure ports
are specified in realm config, not in [kdcdefaults], so that each
process can use separate ports.  Create a new database for the new realm.

Then arrange for krb5kdc to be run with "-r REALM" flags for each realm,
and similarly for kadmind.  How you do this part is system-specific.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Add second realm to existing KDC ?

Matt Lists
On 9/10/19 12:43 PM, Greg Hudson wrote:
> Add the new realm specification to the config files.  Make sure ports
> are specified in realm config, not in [kdcdefaults], so that each
> process can use separate ports.  Create a new database for the new realm.
>
> Then arrange for krb5kdc to be run with "-r REALM" flags for each realm,
> and similarly for kadmind.  How you do this part is system-specific.



Greg, thank you very much.  I will give it a go.

I'd rather have a single KDC with a slightly wonky setup than 2 separate
vanilla KDCs.  :-)

Thanks,
chris
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos