[1555] in Kerberos_V5_Development
Re: kdc.conf [realms] section
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Tue Aug 13 14:58:06 1996
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: hartmans@MIT.EDU, krbdev@MIT.EDU
From: Ken Raeburn <raeburn@cygnus.com>
Date: 13 Aug 1996 14:57:25 -0400
In-Reply-To: "Barry Jaspan"'s message of Tue, 13 Aug 1996 12:57:41 -0400
"Barry Jaspan" <bjaspan@MIT.EDU> writes:
> One occurs to me right away -- one server acting as slave for one
> realm and master KDC/admin server for another.
>
>Hmmm. When would this arrangement actually be used?
If I wanted a realm for RAEBURN.ORG, I might set up one of the
machines at Cygnus as the primary server. The two most likely
candidates are both running slave servers for CYGNUS.COM.
> It seems like it ought to be possible to use the load -update option
> to merge in just the entries from the realm the dual server is a slave
> for, without affecting the entries from the realm the dual server is a
> master for. This would the not require a separate dump/merge step at
> all.
Will that handle principals being deleted in the realm for which the
server is a slave (i.e., an entry in the database for which there is
no update in the dump file because it is supposed to go away)?
> One problem does occur to me. KADM5 policy names do not include
> realms. So, if the two realms had overlaping names for different
> policies, the values on the dual server would get overwritten. This
> could be solved by grepping out all policy lines from the dump file
> before loading it on the dual server. However, if the KDC ever starts
> using policies to make ticket-issuing decisions, this will be a problem.
Sounds like another reason for keeping the databases (and all
associated data) separate.
