[7008] in Kerberos
Re: Two realms served by a single daemon
daemon@ATHENA.MIT.EDU (Joe Kovara)
Thu Apr 4 03:04:45 1996
To: kerberos@MIT.EDU
Date: Thu, 04 Apr 1996 04:52:27 GMT
From: joek@CyberSafe.com (Joe Kovara)
haynes@cats.ucsc.edu (James H. Haynes) wrote:
>You might elaborate on the reasons for wanting to do this. Seems to me the
>reason for having two realms is that neither trusts the Kerberos administrator
>of the other. When they are on the same server it seems like the people
>who run the server have to be trusted by both communities of users.
Trust is not always the primary consideration when using multiple
realms. For large organizations, the use of multiple realms is not
too unusual as an administrative or operational convenience.
("Deploying Kerberos for Large Organizations", TR-94-47, CyberSafe
Corp.)
One of the problems with realms is that they are--for most sites--a
new name space. DNS is another name space, and the effort required to
manage that name space should give anyone pause before embarking on
the creation of yet another. Thus, most organizations end up at one
of two extremes: one realm; or many realms (each of which maps
trivially to the DNS name space, from which the realm name can be
derived); anything else tends to get ugly. Realms also provide a
grouping mechanism (crude, but sometimes useful)--which may or may not
have anything to do with the trust accorded the people administering
those groups, or the systems providing security services.
The "conventional" reasons for separate realms don't necessarily apply
in these cases. And the conventional solution--seperate (replicated)
hardware and software--is not necessarily appropriate. Consider an
organization with 25 KDCs. (50-100 is more typical of a large
organization with mission critical apps. that depend on Kerberos being
available at *all* times.) For every additional realm, they would
have to replicate those KDCs. That essentially makes the use of
multiple realms--even a single additional realm--a non-starter. It
would simply be too expensive unless those KDCs shared systems with
other applications or services (very bad idea).
Regards,
Joe Kovara / Director of Engineering / CyberSafe Corp.
1605 NW Sammamish Road, Suite 310 / Issaquah, WA 98027
joek@cybersafe.com / 206-391-6000 (phone) / 206-391-0508 (fax)
