I realize this will probably just muddy the waters, but they are waters you have to muddy at some point to effectively use kerberos.
One of the key things to realize about kerberos is that the fundamental unit of "membership" in a realm is the process, not the machine or user. A process is in the realm. Machines and users just happen to be different roles the process can take. You can set the krb5.conf of any process to any file you like. Every process on your machine can be in a different realm. It's not simple or easy, but it is possible. The contents of krb5.conf are defaults for the krb5_context of the process[1]. There are other ways to set those defaults, ( DNS SRV records are one. ). However, all the process in the same realm ultimately have to share the same values that define a realm in the krb5_context of that process and any processes that share those defining values are in the same realm regardless of where the process is actually running. - Booker C. Bense [1]- a process can have more than one krb5_context, but let's not get too crazy. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
