Need one for each DNS domain you administer or more-general
DNS domain
Service
<component>/<domainname>@UPENN.EDU
Example: host/pobox.upenn.edu@UPENN.EDU
Roughly one per service per host, though some are shared
by several services. If the host has multiple DNS records,
one Service PennKey is needed for each "A record". CNAME
records do not need their own Service PennKeys.
Cross-RealmTrust
<PennName>/kadmin-<Windows2000 domain in caps>@UPENN.EDU
Only one needed per Windows 2000 "realm" that will have
one-way trust relationship with the U. Penn MIT KDC
one "KAdmin PennKey" per machine you are installing onto --
for creating Host PennKeys which will support kerberized services
on that machine
one "Service PennKey" per machine per kerberized service you
will install (though some Service PennKeys will support more
than one kerberized service) -- supports authentication between
ticket server and the service on your machine. (*Authorization*
is still the job of your service!)
one "Cross-Realm PennKey" per local Kerberos "realm" (e.g.,
a Windows 2000 "domain") which you will configure so users may
authenticate to a local Kerberos or Windows 2000 server using
their PennKeys.
Information needed from you for processing request is listed immediately
below.
"... [T]he KAdmin PennKey type allows the owner to create Service
PennKeys and other, more specific KAdmin PennKeys (but note KAdmin
PennKeys do not allow creating User PennKeys). An example of a
KAdmin PennKey is phanatic/kadmin-philly.athletics.upenn.edu@UPENN.EDU,
allowing the owner to create Service and KAdmin PennKeys for philly.athletics.upenn.edu,
a1.philly.athletics.upenn.edu and other domains more specific
than athletics.upenn.edu."
