[16325] in Kerberos_V5_Development
Re: Project Review: kinit -C
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Thu Sep 16 18:06:04 2010
Date: Thu, 16 Sep 2010 17:04:13 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Tim Mooney <mooney@dogbert.cc.ndsu.nodak.edu>
Message-ID: <20100916220412.GO3982@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <alpine.SOC.2.01.1009161648022.28233@dogbert.cc.ndsu.NoDak.edu>
Cc: Kerberos Devel list <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Thu, Sep 16, 2010 at 04:49:16PM -0500, Tim Mooney wrote:
> In regard to: Re: Project Review: kinit -C, Nicolas Williams said (at...:
>
> > IMO there should be a single KDB per-KDC host because: a) one should use
> > VMs to run distinct realms' KDCs on a single system,
>
> I'll bite. Why?
First, remember that I'm saying I don't mind if Sam doesn't "change to
the KDB keytab to take the realm of the KDB as its argument". That is,
I don't mind that, but I don't think it should be required.
Now, the answer to your question... If you're going to run multiple
KDCs on one system w/o virtualization, then you'll need to use non-
default ports. And while that's workable now that DNS SRV RRs can be
used for discovery, using non-default port numbers is still a PITA.
Finally, if multiple KDCs on different ports happens to work but kinit
-k -t KDB:... doesn't work for more than just one realm, I don't think I
mind -- that's hardly a critical feature.
Also, allowing multiple KDCs on different network interfaces would add
significant complexity to the network re-configuration code and/or would
mean that krb5kdc and kadmind cannot adjust automatically to network
configuration. So it really has to be the case that if you must run
multiple KDCs on one host then they must use different port numbers.
Virtualization is an easy answer here. But also, as I said, there's no
reason that one KDB couldn't hold more than one realm's principals in
it, so that if you don't want to virtualize, then why not just make it
so multiple realms can share one KDB? krb5kdc already supports that...
Only kadmind (and kpropd?) doesn't.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
