Question about dns_lookup_realm and domain_realm
Jos Backus
jos at catnook.com
Fri Jun 27 12:06:53 EDT 2008
On Fri, Jun 27, 2008 at 08:37:23AM -0400, Jeffrey Altman wrote:
> > That's something my patch changes as it performs the DNS lookup first (when
> > configured).
> Which in turn would disable Kerberos referrals.
Good to know. If referrals solve my problem, I'll set that up.
> There is a serious need for the zero configuration solution for Kerberos
> deployments.
> Of course, DNS is insecure so relying on DNS to boot strap your
> authentication system
> is undesirable. That is not to say it has not been used but only
> because there have
> been no other choices.
Amen.
> For referrals to work the user must have already obtained a TGT. If you
> are trying to decide
> which identity a user should obtain a credential for based upon the host
> that the user is going
> to communicate with, that is not something that will be solved by
> referrals.
Understood. Thankfully that's not the issue here - the user already has a TGT.
> To be honest, I don't think it will be solved by domain_realm mappings
> whether stored
> locally or in DNS.
Based on what I know, I agree.
Thanks,
--
Jos Backus
jos at catnook.com
More information about the Kerberos
mailing list