47.1 Choosing the Kerberos Realms
The domain of a Kerberos installation is called a
realm and is identified by a name, such as FOOBAR.COM or
simply ACCOUNTING. Kerberos is
case-sensitive, so foobar.com is actually a different
realm than FOOBAR.COM. Use the case you prefer. It is
common practice, however, to use uppercase realm names.
It is also a good idea to use your DNS domain name (or a subdomain,
such as ACCOUNTING.FOOBAR.COM). As shown below, your life
as an administrator can be much easier if you configure your
Kerberos clients to locate the KDC and other
Kerberos services via DNS. To do so, it is
helpful if your realm name is a subdomain of your DNS domain name.
Unlike the DNS name space, Kerberos is not
hierarchical. You cannot set up a realm named FOOBAR.COM,
have two subrealms
named DEVELOPMENT and
ACCOUNTING underneath it, and expect the two subordinate
realms to somehow inherit principals from FOOBAR.COM.
Instead, you would have three separate realms for which you would have to
configure crossrealm authentication for users from one realm
to interact with servers or other users from another realm.
For the sake of simplicity, assume you are setting up just one realm for
your entire organization. For the remainder of this section, the realm name
EXAMPLE.COM is used in all examples.