Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 664 — #690
i
i
i
i
i
i
i
i
The official Kerberos FAQ is available at http://www.nrl.navy.mil/
CCS/people/kenh/kerberos-faq.html. The book Kerberos — A Net-
work Authentication System by Brian Tung (ISBN 0-201-37924-4) offers exten-
sive information.
26.6 Installing and Administering
Kerberos
This section covers the installation of the Heimdal Kerberos implementa-
tion as well as some aspects of administration. This section assumes you
are familiar with the basic concepts of Kerberos (see also Section 26.5 on
page 657).
26.6.1 Choosing the Kerberos Realms
The domain of a Kerberos installation is called a realm and is identified by
a name, such as FOOBAR.COM or simply ACCOUNTING. Kerberos is case-
sensitive, so foobar.com is actually a different realm than FOOBAR.COM.
Use the case you prefer. It is common practice, however, to use uppercase
realm names.
It is also a good idea to use your DNS domain name (or a subdomain, such
as ACCOUNTING.FOOBAR.COM). As shown below, your life as an admin-
istrator can be much easier if you configure your Kerberos clients to lo-
cate the KDC and other Kerberos services via DNS. To do so, it is helpful if
your realm name is a subdomain of your DNS domain name.
Unlike the DNS name space, Kerberos is not hierarchical. You can-
not set up a realm named FOOBAR.COM, have two “subrealms” named
DEVELOPMENT and ACCOUNTING underneath it, and expect the two sub-
ordinate realms to somehow inherit principals from FOOBAR.COM. Instead,
you would have three separate realms for which you would have to con-
figure crossrealm authentication for users from one realm to interact with
servers or other users from another realm.
For the sake of simplicity, assume you are setting up just one realm for
your entire organization. Setting up crossrealm authentication is described
in [15], for instance. For the remainder of this section, the realm name
SAMPLE.COM is used in all examples.
664 26.6. Installing and Administering Kerberos