"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/admin/realm_config.rst" between
krb5-1.16.3.tar.gz and krb5-1.17.tar.gz

About: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography (MIT implementation). Current release.

realm_config.rst  (krb5-1.16.3):realm_config.rst  (krb5-1.17)
skipping to change at line 12 skipping to change at line 12
============================= =============================
Before installing Kerberos V5, it is necessary to consider the Before installing Kerberos V5, it is necessary to consider the
following issues: following issues:
* The name of your Kerberos realm (or the name of each realm, if you * The name of your Kerberos realm (or the name of each realm, if you
need more than one). need more than one).
* How you will assign your hostnames to Kerberos realms. * How you will assign your hostnames to Kerberos realms.
* Which ports your KDC and and kadmind services will use, if they will * Which ports your KDC and and kadmind services will use, if they will
not be using the default ports. not be using the default ports.
* How many slave KDCs you need and where they should be located. * How many replica KDCs you need and where they should be located.
* The hostnames of your master and slave KDCs. * The hostnames of your master and replica KDCs.
* How frequently you will propagate the database from the master KDC * How frequently you will propagate the database from the master KDC
to the slave KDCs. to the replica KDCs.
Realm name Realm name
---------- ----------
Although your Kerberos realm can be any ASCII string, convention is to Although your Kerberos realm can be any ASCII string, convention is to
make it the same as your domain name, in upper-case letters. make it the same as your domain name, in upper-case letters.
For example, hosts in the domain ``example.com`` would be in the For example, hosts in the domain ``example.com`` would be in the
Kerberos realm:: Kerberos realm::
skipping to change at line 93 skipping to change at line 93
------------------------------------ ------------------------------------
The default ports used by Kerberos are port 88 for the KDC and port The default ports used by Kerberos are port 88 for the KDC and port
749 for the admin server. You can, however, choose to run on other 749 for the admin server. You can, however, choose to run on other
ports, as long as they are specified in each host's ports, as long as they are specified in each host's
:ref:`krb5.conf(5)` files or in DNS SRV records, and the :ref:`krb5.conf(5)` files or in DNS SRV records, and the
:ref:`kdc.conf(5)` file on each KDC. For a more thorough treatment of :ref:`kdc.conf(5)` file on each KDC. For a more thorough treatment of
port numbers used by the Kerberos V5 programs, refer to the port numbers used by the Kerberos V5 programs, refer to the
:ref:`conf_firewall`. :ref:`conf_firewall`.
Slave KDCs Replica KDCs
------------
Slave KDCs provide an additional source of Kerberos ticket-granting Replica KDCs provide an additional source of Kerberos ticket-granting
services in the event of inaccessibility of the master KDC. The services in the event of inaccessibility of the master KDC. The
number of slave KDCs you need and the decision of where to place them, number of replica KDCs you need and the decision of where to place them,
both physically and logically, depends on the specifics of your both physically and logically, depends on the specifics of your
network. network.
Kerberos authentication requires that each client be able to contact a Kerberos authentication requires that each client be able to contact a
KDC. Therefore, you need to anticipate any likely reason a KDC might KDC. Therefore, you need to anticipate any likely reason a KDC might
be unavailable and have a slave KDC to take up the slack. be unavailable and have a replica KDC to take up the slack.
Some considerations include: Some considerations include:
* Have at least one slave KDC as a backup, for when the master KDC is * Have at least one replica KDC as a backup, for when the master KDC
down, is being upgraded, or is otherwise unavailable. is down, is being upgraded, or is otherwise unavailable.
* If your network is split such that a network outage is likely to * If your network is split such that a network outage is likely to
cause a network partition (some segment or segments of the network cause a network partition (some segment or segments of the network
to become cut off or isolated from other segments), have a slave KDC to become cut off or isolated from other segments), have a replica
accessible to each segment. KDC accessible to each segment.
* If possible, have at least one slave KDC in a different building * If possible, have at least one replica KDC in a different building
from the master, in case of power outages, fires, or other localized from the master, in case of power outages, fires, or other localized
disasters. disasters.
.. _kdc_hostnames: .. _kdc_hostnames:
Hostnames for KDCs Hostnames for KDCs
------------------ ------------------
MIT recommends that your KDCs have a predefined set of CNAME records MIT recommends that your KDCs have a predefined set of CNAME records
(DNS hostname aliases), such as ``kerberos`` for the master KDC and (DNS hostname aliases), such as ``kerberos`` for the master KDC and
``kerberos-1``, ``kerberos-2``, ... for the slave KDCs. This way, if ``kerberos-1``, ``kerberos-2``, ... for the replica KDCs. This way,
you need to swap a machine, you only need to change a DNS entry, if you need to swap a machine, you only need to change a DNS entry,
rather than having to change hostnames. rather than having to change hostnames.
As of MIT krb5 1.4, clients can locate a realm's KDCs through DNS As of MIT krb5 1.4, clients can locate a realm's KDCs through DNS
using SRV records (:rfc:`2782`), assuming the Kerberos realm name is using SRV records (:rfc:`2782`), assuming the Kerberos realm name is
also a DNS domain name. These records indicate the hostname and port also a DNS domain name. These records indicate the hostname and port
number to contact for that service, optionally with weighting and number to contact for that service, optionally with weighting and
prioritization. The domain name used in the SRV record name is the prioritization. The domain name used in the SRV record name is the
realm name. Several different Kerberos-related service names are realm name. Several different Kerberos-related service names are
used: used:
skipping to change at line 244 skipping to change at line 244
:ref:`krb5.conf(5)` to False. When enabled, URI lookups take :ref:`krb5.conf(5)` to False. When enabled, URI lookups take
precedence over SRV lookups, falling back to SRV lookups if no URI precedence over SRV lookups, falling back to SRV lookups if no URI
records are found. records are found.
.. _db_prop: .. _db_prop:
Database propagation Database propagation
-------------------- --------------------
The Kerberos database resides on the master KDC, and must be The Kerberos database resides on the master KDC, and must be
propagated regularly (usually by a cron job) to the slave KDCs. In propagated regularly (usually by a cron job) to the replica KDCs. In
deciding how frequently the propagation should happen, you will need deciding how frequently the propagation should happen, you will need
to balance the amount of time the propagation takes against the to balance the amount of time the propagation takes against the
maximum reasonable amount of time a user should have to wait for a maximum reasonable amount of time a user should have to wait for a
password change to take effect. password change to take effect.
If the propagation time is longer than this maximum reasonable time If the propagation time is longer than this maximum reasonable time
(e.g., you have a particularly large database, you have a lot of (e.g., you have a particularly large database, you have a lot of
slaves, or you experience frequent network delays), you may wish to replicas, or you experience frequent network delays), you may wish to
cut down on your propagation delay by performing the propagation in cut down on your propagation delay by performing the propagation in
parallel. To do this, have the master KDC propagate the database to parallel. To do this, have the master KDC propagate the database to
one set of slaves, and then have each of these slaves propagate the one set of replicas, and then have each of these replicas propagate
database to additional slaves. the database to additional replicas.
See also :ref:`incr_db_prop` See also :ref:`incr_db_prop`
 End of changes. 12 change blocks. 
18 lines changed or deleted 19 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)