[6997] in Kerberos
Re: Two realms served by a single daemon
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Wed Apr 3 11:14:25 1996
Date: Wed, 3 Apr 96 10:57:31 EST
From: Barry Jaspan <bjaspan@bbnplanet.com>
To: Alexandre Khalil <iskandar@eesun1.tamu.edu>
Cc: kerberos@MIT.EDU
In-Reply-To: [6989]
We would like to set up a server that would serve two realms.
Is that possible on Kerberos 5? Would someone who has done it
share his configuration with us?
In Kerberos 5 beta 4, it worked fine. All you had to do was create
the new ticket-granting ticket principal in the existing database, and
then whatever new principals you wanted in the new realm, and it
worked. We were even able to create inter-realm tgts between the two
realms in a single database, and it also worked fine. Of course, you
have to set up your krb.conf (now krb5.conf I guess) correctly.
In other words, if your Kerberos server is set up to serve ONE.COM,
you just create
krbtgt/TWO.COM@TWO.COM
username@TWO.COM
in your existing database. Then you can also create, if you want
inter-realm,
krbtgt/ONE.COM@TWO.COM
krbtgt/TWO.COM@ONE.COM
with the same password. You can create these principals with
kdb5_edit.
This was all with beta 4, and krb5 has changed a lot since then, but I
assume the MIT development team did not (intentionally) removing this
functionality.
Barry
