Created attachment 414505 [details] /etc/init.d/kadmin patch including multirealm support Description of problem: Cannot configure kerberos multi realm kadmin/kpropd via standard sysconfig way. There is no option for using multiple realms on kerberos. Version-Release number of selected component (if applicable): krb5-server-1.6.1-36.el5_4.1 Actual results: Cannot configure Expected results: Configuration available Additional info: ad1) If one wishes to use multiple realms on the same host, configration of krb5kdc is no problem. I have to put this KRB5KDC_ARGS="-r REALM1 -r REALM2" into the /etc/sysconfig/krb5kdc file, no problem here ad2) When someone wants to run kadmin above these two domains, it is necessary to run kadmin standalone on different port for each realm. fe. /usr/kerberos/sbin/kadmind -r REALM1 -port 749 /usr/kerberos/sbin/kadmind -r REALM2 -port 748 there is no configuration option to do this. ad3) When someone wants to propagate multiple realms kerberos database to other kdc hosts, one should run something like this on the slave host /usr/kerberos/sbin/kpropd -S -r REALM1 -P 754 /usr/kerberos/sbin/kpropd -S -r REALM2 -P 753 there is no configuration option to do this. Suggested solution: Add configuration file for kpropd (which does not exists at this time) and put some MULTIPLEREALM variable into this file and kadmin configuration file, edit init scripts for kpropd and kadmind Example configuration files /etc/sysconfig/kprop KPROP_ARGS= MULTIREALMS="REALM1:754 REALM2:753" /etc/sysconfig/kadmin MULTIREALMS="REALM1:749 REALM2:748" Diffs according to this feature (/etc/init.d/{kprop,kadmin}) are included in the attachment.
Created attachment 414506 [details] /etc/init.d/kprop patch including multirealm support
Please look at the SSSD project. https://fedorahosted.org/sssd There is a consideration to add it to RHEL5.x. Can you please take a look and check if it would solve the problem?
hi, it seems, that this is not really related with this problem. SSSD: It's primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. but my problem is, that one cannot configure kerberos (kdc) so that it can run multiple realms on the same machine. kdc is only underlaying service of SSSD (i think). it neither solves the kdc cluster propagation. fous
(In reply to comment #3) > hi, > > it seems, that this is not really related with this problem. > > SSSD: > It's primary function is to provide access to identity and authentication > remote resource through a common framework that can provide caching and offline > support to the system. > > but my problem is, that one cannot configure kerberos (kdc) so that it can run > multiple realms on the same machine. kdc is only underlaying service of SSSD (i > think). > > it neither solves the kdc cluster propagation. > > fous Ah Ok. Sorry for confusion.
I'd much prefer to have kadmind and kpropd just support multiple realms from a single process, the way krb5kdc does. Have forwarded this to upstream RT to see what they think.
We have contacted MIT community and got a feedback that they are generally open to making multiple realms work better for kadmind and kpropd. However it is not a priority so patches are welcome. If there is work that has been done in this area they might have cycles to review the patches before 1.9 release.
This issue is not going to be addressed in 5.x. We will pick it up from upstream (MIT) when it becomes available.
The patches (https://bugzilla.redhat.com/attachment.cgi?id=414506 and https://bugzilla.redhat.com/attachment.cgi?id=414505) itself work for RHEL5/6 but I strongly agree with nalin (see https://bugzilla.redhat.com/show_bug.cgi?id=592884#c6) that we need a solution where kpropd and kadmind have builtin support for multiple realms (this is handled by upstream ticket http://krbdev.mit.edu/rt/Ticket/Display.html?id=6748). The trouble starts with RHEL7 and systemd which doesn't provide any easy support for starting and managing a "random" number of deamon processes started by a script.