Installing And Administering Kerberos; Choosing The Kerberos Realms - Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 04-08-2006 Installation Manual

47
Installing and Administering
Kerberos
This section covers the installation of the MIT Kerberos implementation as well as
some aspects of administration. This section assumes you are familiar with the basic
concepts of Kerberos (see also Chapter 46, Network Authentication—Kerberos
(page 845)).

47.1 Choosing the Kerberos Realms

The domain of a Kerberos installation is called a realm and is identified by a name,
such as FOOBAR.COM or simply ACCOUNTING. Kerberos is case-sensitive, so
foobar.com is actually a different realm than FOOBAR.COM. Use the case you prefer.
It is common practice, however, to use uppercase realm names.
It is also a good idea to use your DNS domain name (or a subdomain, such as
ACCOUNTING.FOOBAR.COM). As shown below, your life as an administrator can be
much easier if you configure your Kerberos clients to locate the KDC and other Kerberos
services via DNS. To do so, it is helpful if your realm name is a subdomain of your
DNS domain name.
Unlike the DNS name space, Kerberos is not hierarchical. You cannot set up a realm
named FOOBAR.COM, have two "subrealms" named DEVELOPMENT and ACCOUNTING
underneath it, and expect the two subordinate realms to somehow inherit principals
from FOOBAR.COM. Instead, you would have three separate realms for which you
would have to configure crossrealm authentication for users from one realm to interact
with servers or other users from another realm.

Installing and Administering Kerberos

853