Contents
This section covers the installation of the MIT Kerberos implementation as well as some aspects of administration. This section assumes you are familiar with the basic concepts of Kerberos (see also Chapter 46, Network Authentication—Kerberos).
The domain of a Kerberos installation is called a
realm and is identified by a name, such as FOOBAR.COM
or
simply ACCOUNTING
. Kerberos is
case-sensitive, so foobar.com
is actually a different
realm than FOOBAR.COM
. Use the case you prefer. It is
common practice, however, to use uppercase realm names.
It is also a good idea to use your DNS domain name (or a subdomain,
such as ACCOUNTING.FOOBAR.COM
). As shown below, your life
as an administrator can be much easier if you configure your
Kerberos clients to locate the KDC and other
Kerberos services via DNS. To do so, it is
helpful if your realm name is a subdomain of your DNS domain name.
Unlike the DNS name space, Kerberos is not
hierarchical. You cannot set up a realm named FOOBAR.COM
,
have two “subrealms” named DEVELOPMENT
and
ACCOUNTING
underneath it, and expect the two subordinate
realms to somehow inherit principals from FOOBAR.COM
.
Instead, you would have three separate realms for which you would have to
configure crossrealm authentication for users from one realm
to interact with servers or other users from another realm.
For the sake of simplicity, assume you are setting up just one realm for
your entire organization. For the remainder of this section, the realm name
EXAMPLE.COM
is used in all examples.