[31832] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Kerberos multi domain

daemon@ATHENA.MIT.EDU (Edward Murrell)
Fri Jan 1 21:11:26 2010

From: Edward Murrell <edward@murrell.co.nz>
To: "kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <DD8E410DCC51E04D8BBC1D73193263EF0BD21F09@CORPMAIL06.corp.capgemini.com>
Date: Sat, 02 Jan 2010 15:10:56 +1300
Message-ID: <1262398256.2052.29.camel@boyle>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

As far as I know, MIT kerberos can run multiple KDC's from the same
machine, but each realm needs to have it's own IP or set of ports.
 

On Fri, 2010-01-01 at 13:19 +0100, BOUCHER, Flavien wrote:
> Hi,
> 
> I need to setup kerberos for six distinct domain, there is no trust relationship between each domain.
> When I setup one domain by one, it's working.
> 
> After testing each domain one by one, I merge the keytab file, and change the krb5.conf file:
> 
>             [libdefaults]
>                  default_realm = MSDEMO
>                  default_keytab_name = FILE:C:\Kerberos\lcserver01.keytab
>                  default_tkt_enctypes = rc4-hmac des-cbc-md5
>                  default_tgs_enctypes = rc4-hmac des-cbc-md5
>                  forwardable  = true
>                  renewable  = true
>                  noaddresses = true
>                  clockskew  = 300
>             [realms]
>                  MSDEMO = {
>                       kdc = dc.msdemo.local:88
>                       default_domain = dc.msdemo.local
>                  }
> 
>                  MSDEMO2 = {
>                       kdc = dc2.msdemo2.local:88
>                       default_domain = msdemo2.local
>                  }
>             [domain_realm]
>                  .msdemo.local = MSDEMO
>                  .msdemo2.local = MSDEMO2
> 
> 
> When I merge the keytab of this two domains and change the krb5.conf, just the authentication for MSDEMO is working.
> When I change the krb5.conf, and enter default_realm = MSDEMO2, the authentication is working for MSDEMO2.
> 
> It's possible to make the authentication works for the both domain in the same time ?
> 
> Regards.
> 
> Flavien.
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post