Realms

A realm is logical network, like a domain, which defines a group of systems under the same master KDC. As with establishing a DNS domain name, issues such as the realm name, the number and size of each realm, and the relationship of a realm to other realms should be resolved before installing SEAM.

Realm Names

Realm names can be any ASCII string. Usually it is the same as your DNS domain name, in uppercase. This helps differentiate problems with SEAM from problems with the DNS namespace, while using a name that is familiar. If you do not use DNS or choose to use a different string, then you can use any string, although using realm names that follow the standard internet naming structure is wise.

Number of Realms

The number of realms that your installation requires depends on several factors:

• The number of clients to be supported. Too many clients in one realm makes administration more difficult and eventually requires splitting the realm. The primary factors that determine the number of clients that can be supported are: the amount of SEAM traffic that each client generates, the bandwidth of the physical network and the speed of the hosts. Since each installation will have different limitations, there is no rule for determining the maximum number of clients.

• How far apart the clients are. It might make sense to set up several small realms if the clients are in a different geographic region.

• The number of hosts that are available to be installed as KDCs. Each realm should have at least two KDC servers (master and slave).

Realm Hierarchy

When configuring multiple realms, you need to decide how to tie the realms together. You can establish a hierarchical relation between the realms that provides automatic paths to the related domains, but requires that all realms in the hierarchical chain are configured properly. The automatic paths can ease the administration burden; however, if there are many levels of domains, you might not want to use the default path because it requires too many transactions.

You can also choose to establish the connection directly. A direct connection is most useful when too many levels exist between two hierarchical domains or when there is no hierarchal relationship. The connection must be defined in /etc/krb5/krb5.conf on all hosts using the connection, so some additional work required. See "Realms" for an introduction and "Configuring Cross-Realm Authentication" for the configuration procedures for multiple realms.