Kerberos auth, realm and domain considerations

[Søren Grønning]

Hi all,

I'm trying to get our Mac OS X clients to perform Kerberos authentication when accessing the print queues on our Mac OS X 10.6.8 print server, however, I'm having a hard time getting it to work reliably.

Were operating a mixed Windows and Mac environment, in which the Macs are unable to update our DNS server dynamically due to 'secure updates' on the server which use GSS-TSIG keys to update the DNS server's records, which makes me worry about the stated need for static ip addresses or a working, dynamically updated DNS service for Kerberos to work with Cups (we use Cups 1.4.7) as well as the remark about a 'single domain/KDC' (whatever that means...) since it might imply that a Kerberos realm (which is what I believe is what's referred to in this context) might only consist of a KDC master and no slaves, although I believe it means that you can only bind to ONE Kerberos realm per server or client ...

So my question is: Does it require a single Kerberos realm with only a single KDC server (a master) to make this work or is a single realm consisting of two (or more) KDC servers okay?

Cheers,