1.1.1 - Realms

A Realm is associated with a Kerberos administrative domain. In other words, it covers everything the Kerberos server manages :

  • Users
  • Services

Note that a Kerberos Server manages one Realm only, a Realm can be managed by more than one Kerberos server : this is mandatory to avoid a single point of failure, if a Kerberos server halts for any reason.

Realm name

In order to distinguish the Realms, we give them a unique name. This name can be anything, but a convention is to use the DNS name of the Kerberos server, and to use uppercase.

For instance, say that th Kerberos server is installed on a machine whose domain name is apache.org, then we will use APACHE.ORG as the Realm name (but you could use Apache.org or even MyApacheDomain).

Note that the name is case sensitive. **apache.org** is a different realm than **APACHE.ORG**.

The Realm name wil be used all over Kerberos to name Principals and Services

Default Realm for ApacheDS Kerberos Server

When ApacheDS Kerberos Server installed, the default Realm name is set to EXAMPLE.COM. This can be changed either using Studio, by accessing the server configuration and changing the ‘Primary KDC Realm’, as show in this picture :

Kerberos Realm Configuration

or by modifying the LDIF configuration directly, by modifying the following entry :

dn: ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config
...
ads-krbprimaryrealm: EXAMPLE.COM
...