You shape the world view (REALM, dns domain to realm mapping, default_realm) in your krb5.conf on your systems participating. You dont need to have DNS srv records for everything you are doing (but they help/can be a hinderance -e.g. performance)
Your one rule is you must use unique namespaces for these (e.g. you cant have two competing KDC's with different DB's handling the same REALM) But 2 different realms on the same subnets with common DNS but different REALMS and KDC's are handled in the [domain_realm] section of the krb5.conf and are discussed in detail here: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html And pay attention to the relationship between fwd/reverse dns and kerberos here http://web.mit.edu/kerberos/krb5-1.12/doc/admin/princ_dns.html So for example a set of systems starting in a development realm migrating to a production realm status... its a point of whatever the clients and servers are configured to focus on with regard to realm and KDC... will be whats used... so its not really a "dont do that".. but more of a "be prepared to manage the complexity" if they are going to overlap. At some point a dns subdomain goes a long way to mitigate the complexity of having to manage lots and lots of stating host specific entries in a [domain_realm] section of the krb5.conf On Mon, Dec 5, 2016 at 11:15 AM, Nordgren, Bryce L -FS <bnordg...@fs.fed.us> wrote: > The answer is probably going to be "you can't do that", but I figured I'd > ask anyway. > > Parameter #1: I have been allocated a handful of non-routable IP subnets > on a university network where I am a guest. > Parameter #2: Associated with the above is a single DNS subdomain. > Parameter #3: The university retains control over DNS and DHCP. > Parameter #4: The university set up the correct SRV records so that I can > operate a KDC on my subdomain. > > My question is: Is there any way to operate two KDCs on the same DNS > subdomain, serving complementary hosts? > > Reason #1: I want the "lightest footprint" possible, so as not to annoy > our hosts. > Reason #2: I want to take advantage of some of the centralized management > niceties of AD and FreeIPA for Windows and Linux, respectively. > Reason #3: I'm not sure I understand how to implement any kind of > automatic Win/Linux segregation at the network level. > Reason #4: Aside from the constraints Kerberos may (?) impose, I see no > compelling reason to corral machines into subdomains by OS. > > Thanks for your patience. > Bryce > > > > > This electronic message contains information generated by the USDA solely > for the intended recipients. Any unauthorized interception of this message > or the use or disclosure of the information it contains may violate the law > and subject the violator to civil or criminal penalties. If you believe you > have received this message in error, please notify the sender and delete > the email immediately. > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Business Operations Manager Customer Operations Engineering Security SME ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
