One domain and 3 realms - Different situation than previous thread

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

One domain and 3 realms - Different situation than previous thread

Francisco Oliveira-2
Hello,

I am studying a kerberos implementation for my company.
I am planning to configure three realms.
The realms are A.BASE.COM, B.BASE.COM and BASE.COM (hierarchical).
I hvae only *one* DNS domain base.com and I won't be changing that.
My question is, will the fact of having one dns domain affect  the
kerberos service in any way? I won't be using the dns_lookup_realm
and dns_lookup_kdc.

I Know that in each client's /etc/krb5.conf file I can configure a
[domain_realm] section.

I have read this thread
http://mailman.mit.edu/pipermail/kerberos/2005-June/007876.html where
it is stated that  this configuration will be an administration
nightmare. My situation is different from the situation in this thread
in the sense that althought there are three realms only machines from
location A will be in realm A.BASE.COM, machines in location B will be
in realm B.BASE.COM and BASE.COM is only for hierarchical trust and
some services.

I will have cross realm authentication (roaming authentication) so my
clients' /etc/krb5.conf will have the following entry:

[realms]
A.BASE.COM={
kdc = server1.base.com
admin_server server1.base.com
default_domain = base.com
}

B.BASE.COM={
kdc = serb.base.com
admin_server serb.base.com
default_domain = base.com
}

[domain_realm]
.base.com=A.BASE.COM
.base.com=B.BASE.COM

Is this possible? Do I need to create subdomains?

Best regards,

F.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: One domain and 3 realms - Different situation than previous thread

Kenneth G Raeburn
On Jun 13, 2005, at 10:33, fsoliv wrote:
> I am studying a kerberos implementation for my company.
> I am planning to configure three realms.
> The realms are A.BASE.COM, B.BASE.COM and BASE.COM (hierarchical).
> I hvae only *one* DNS domain base.com and I won't be changing that.
> My question is, will the fact of having one dns domain affect  the
> kerberos service in any way? I won't be using the dns_lookup_realm
> and dns_lookup_kdc.


> I have read this thread
> http://mailman.mit.edu/pipermail/kerberos/2005-June/007876.html where
> it is stated that  this configuration will be an administration
> nightmare.

I think "a bit of a headache" was the phrase used, not "nightmare". :-)

If you can commit to having some centrally maintained files that are
distributed to the workstations or servers (perhaps via cron jobs,
package updates, whatever, maybe symlinked into a shared, trusted file
system), you only need to update the one file.  In fact, if you've got
the location information stored somewhere (perhaps as which subnet the
machine's address is in, in your master zone file), you could
programmatically recreate the domain_realm section as needed and
distribute it.

>  My situation is different from the situation in this thread
> in the sense that althought there are three realms only machines from
> location A will be in realm A.BASE.COM, machines in location B will be
> in realm B.BASE.COM and BASE.COM is only for hierarchical trust and
> some services.

That mostly removes BASE.COM from consideration as far as determining
the realm of any given host.  So, effectively it's one domain with two
realms that we care about, for purposes of this discussion.  The
location is irrelevant, unless you're doing some per-location
centralized system management.

> [domain_realm]
> .base.com=A.BASE.COM
> .base.com=B.BASE.COM

If you're thinking that the library would try each realm listed this
way, you're going to be disappointed.  While the Kerberos specs allow
for services running on a single machine to have identities in multiple
realms, in our implementation, unless the realm is specified as part of
the principal name, the library will try to determine *one* realm for a
machine, and will use that; if the principal isn't found, you get an
error.

We also haven't yet implemented the KDC-based referral support that's
been proposed.

> Is this possible? Do I need to create subdomains?

What, like you said you wouldn't do, at the start of your message? :-)
Only if you can't distribute updates to the domain_realm section as
needed.

Ken

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: One domain and 3 realms - Different situation than previous thread

Douglas E. Engert


Ken Raeburn wrote:


>
> We also haven't yet implemented the KDC-based referral support that's
> been proposed.
>
> Ken

Any chance the referral support will be added soon? Either the client
or the server side or both?



>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos