<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Sam Hartman wrote:<br>
<blockquote type="cite" cite="midtslk7c4wfvq.fsf@konishi-polis.mit.edu">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">"Jeffrey" == Jeffrey Altman <a class="moz-txt-link-rfc2396E" href="mailto:jaltman@columbia.edu"><jaltman@columbia.edu></a> writes:
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->
Jeffrey> Shall we agree to alter this to read:
Jeffrey> 1) krb.com 2) "kerberos-iv" SRV record if "kerberos-iv"
Jeffrey> SRV record does not exist and does not return "." try 3)
Jeffrey> "kerberos" SRV record 4) "kerberos.REALM" A or CNAME
Jeffrey> record
I agree this is a valid option to consider. There is a reasonable
probability this is what we will decide on.
However, keep in mind that there is a large class of realms out there
that do not support krb4 and will not ever advertize a kerberos-iv SRV
record indicating the service is unavailable. I'm thinking of Windows
active directory realms.
So, I believe another option to consider is
1) krb.conf|krb5.conf
2) kerberos-iv SRV records</pre>
</blockquote>
<br>
Not for the KfW 2.5 release. As I mentioned in a previous e-mail,
Leash at the present time enforces the synchronization of the krb.con
and krb5.ini files. Therefore, there will be no realm information in
krb5.conf which does not exist in krb.con. Also, the Windows Krb4
library does not understand the profile API at all.<br>
<br>
When we merge the Windows Kerberos 4 library with the Krb5 Krb4
library, we will abandon the krb.con and krbrealm.con files. Leash
will then enforce synchronization between the krb.con/krbrealm.con
files and the [v4 realm] and [v4 realm-domain] sections of krb5.conf.<br>
<br>
- Jeff<br>
<br>
<br>
</body>
</html>