[3864] in Kerberos
Re: crash of a Kerberos server
daemon@ATHENA.MIT.EDU (Derek Atkins)
Mon Sep 19 15:59:22 1994
To: zhgpc@ubs.ch (Graber Patrick)
Cc: kerberos@MIT.EDU
In-Reply-To: [3860] in Kerberos
Date: Mon, 19 Sep 94 15:22:53 EDT
From: Derek Atkins <warlord@MIT.EDU>
Graber --
Why didn't you ask all your questions in a single mail message? Well,
I am going to answer them all in a single reply.
> What happens, if a Kerberos authentication server or a TGS
> crashes?
The client goes to a slave server. In the configuration file you
have something that looks like:
ATHENA.MIT.EDU
ATHENA.MIT.EDU kerberos.mit.edu admin server
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu admin server
LCS.MIT.EDU kerberos-1.lcs.mit.edu
This means that the default realm is ATHENA.MIT.EDU, and it will try
the master (admin server) on kerberos.mit.edu. If there is no reply
after some timeout period, it will try kerberos-1, then kerberos-2,
and so on. This is done in the kerberos library, so the application
need not worry about this.
If you only have one server, non-replicated, and it goes down, well,
you're SOL. But then again, if you only have a single nameserver and
it goes down, too, you are SOL, so thats ok. Its exactly why you
should replicate the database onto at least a second server.
> Has anyone implemented `single singon' using Kerberos tickets?
> How does it work if you have several realms? Does anybody knows
> papers about `single signon' using Kerberos tickets?
Yes. The MIT/Athena xlogin program is a single signon service. A
user walks up to an Athena cluster machine (well, any Athena machine)
and sees xlogin. The user types in username and password (kerberos
password), and is authenticated by Kerberos and logged in. Homedir
gets attached, and custom environment is setup. From there, all
services use the kerberos tickets obtained from the login, until those
tickets expire.
> Is it possible to built hierarchical realms?
Well, I guess it depends on what you mean by hierarchical realms? I
believe the answer is "yes", but it depends on what you are trying to
accomplish. A realm is a realm, and the authorization of
warlord@ATHENA.MIT.EDU is not the same as the authorization of
warlord@MEDIA-LAB.MIT.EDU, which is not the same as the authorization
of warlord@LAB214.BELLCORE.COM or warlord@GZA.COM, even though I am
the person that owns those IDs.
I hope this helps
-derek
Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
Home page: http://www.mit.edu:8001/people/warlord/home_page.html
warlord@MIT.EDU PP-ASEL N1NWH PGP key available
