[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Configuring multiple realms

Hi all.

I have successfully built and installed Heimdal 0.6. Now, I have a "star topology", one central office and several (remote) offices. I have setup DNS and mail accordingly, where remote offices have subdomains of our domain. LDAP will follow this philosophy. I would like Kerberos to do the same.

I would like to have our master-server (DEC AlphaServer 4100, running Tru64 UNIX 4.0D) to be the master for all realms, while the remote servers will be lsaves. This is how our DNS is setup. Of course, I can let each remote server be it's own KDC master, but I'd like replication.

KDC works fine, bu KAdminD is having problems. This is my kdc.conf

        database = {
                realm           = EV.CO.YU
                realm           = JB.EV.CO.YU
                realm           = KI.EV.CO.YU
                realm           = NS.EV.CO.YU
                realm           = OU.EV.CO.YU
                realm           = PA.EV.CO.YU
                realm           = PB.EV.CO.YU
                realm           = RU.EV.CO.YU
                realm           = SE.EV.CO.YU
                realm           = SM.EV.CO.YU
                realm           = SO.EV.CO.YU
                realm           = SU.EV.CO.YU
                realm           = VR.EV.CO.YU
                realm           = ZR.EV.CO.YU
                dbname          = /var/opt/Heimdal-0.6/krb5kdc/heimdal
                mkey_file       = /var/opt/Heimdal-0.6/krb5kdc/m-key
                acl_file        = /var/opt/Heimdal-0.6/krb5kdc/kadmin.acl
                log_file        = /var/opt/Heimdal-0.6/krb5prop/prop.dat
        require-preauth                 = false
        ports                           = 88 750
        enable-kerberos4                = false
        enable-524                      = false
        enable-http                     = false
        enable-kaserver                 = false
        check-ticket-addresses          = true
        allow-null-ticket-addresses     = true
        allow-anonymous                 = true
        encode_as_rep_as_tgs_rep        = false
        kdc_warn_pwexpire               = 7 days
        logging                         = SYSLOG:INFO:DAEMON

Is this OK? KDC doesn't seam to mind having multiple "realm" statements and I can authenticate just fine.

When I do "kinit admin/admin@EV.CO.YU" and then run "kadmin", I can access principals and all is well.

When I do "kinit admin/admin@NS.EV.CO.YU" and run "kadmin -r NS.EV.CO.YU" I can connect. But then issuing "list *", I get "kadmin: kadm5_get_principals: No such file or directory". Doing a trace on system calls ("truss"), shows me that "kadmind" is doing this:

+ read /etc/krb5.conf
+ read /var/heimdal/kdc.conf
+ bind to the socket, accepts teh connection
+ gets request for kadmin/admin@NS.EV.CO.YU from "kadmin" client (or at least that's what I read)
- tries to open "/var/heimdal/m-key" (FAILS)
- tries to open "/var/heimdal/heimdal.db" (FAILS)
- writes in response "<unspecified realm> ... No such file or directory"

QUESTION: Why is "kadmind" looking in the wrong place for master key file and the database?