Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Inter-realm
Configuring for Multi-realm Enterprises
Chapter 8 247
Configuring for Multi-realm Enterprises
When you support multiple realms, there are additional configuration
steps required for both the Security Servers and Clients. This section
addresses the Server requirements.
Number of Realms per Database
A single Primary Security Server can support more than one realm. If
you have a centralized administration group that controls the security
needs for your enterprise, you can support all realms in one primary
server.
Alternatively, if you have decentralized administration groups, you may
need to support a single realm per Primary Server. This arrangement
has different configuration requirements.
If you are only supporting one realm per Primary Server, you configure
the server normally, and then create the required trust relationships, as
described in “Configuring Direct Trust Relationships” on page 250.
If you are supporting more than one realm per Primary Server, there are
additional configuration tasks that you must perform.
Primary Servers That Support Multiple Realms
If you choose to support more than one realm in a Primary Server’s
database, then you must decide if all the Secondary Servers will support
multiple realms. Alternatively, you can have different branches of
Secondary Servers, one branch for each realm supported in the principal
database.
Propagation can be configured to propagate only selected realms to a
Secondary Server. This enables you to maximize the benefits of creating
multiple security boundaries in your enterprise. In the event that a
authentication server in one branch is compromised, database
information about other branches are still secure.