Kerberos 5, kprop problem

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Apr 18 14:31:46 EDT 2002


>I am not creating a service ticket (unless kprop is doing it behind the
>scenes).  These are just the pricipals for the KDC's, to quote the
>manual again:

Those things you've been adding are what I've been talking about (but really
better termology is "service principals").

>Each KDC needs a host principal in the Kerberos database. You can enter
>these from any host, once the kadmind daemon is running. For example, if
>your master KDC were called kerberos.mit.edu, and you had two KDC slaves
>named kerberos-1.mit.edu and kerberos-2.mit.edu, you would type the
>following: 
>shell% /usr/local/sbin/kadmin
>kadmin: addprinc -randkey host/kerberos.mit.edu
>etc..
>
>So the manual says to make CNAME records for your KDC's called
>kerberos, kerberos-2, etc.  Then to add those CNAME records as
>principals.  So either you or the manual is wrong, or I'm very dense and
>I dont get it :)

Wait, but the manual doesn't say that (at least, the bit you quoted).
It doesn't say anything about creating CNAMEs there.  It just says, "If
your KDC is called "kerberos.mit.edu", here is what you run inside
kadmin".  I'll admit that it's confusing, but I don't see where it says
to create service principals based on hostname aliases.

>Frankly it wouldnt make sense to create kerberos, kerberos-1, etc
>CNAMES, and then use canonical names everywhere.  Whats the point of
>having the CNAME then?  The whole idea is that you can switch KDC's -
>make a slave into master and vice versa easily by changing the CNAME to
>point to the correct canonical names, and making some changes in the
>kerberos configuration.

When you start distributing krb5.conf files to clients, you will find it's
painful to change them; the idea behind CNAMEs is that you can change those
without affecting your clients.

>> This is part of the confusion about a CNAME record.  The canonical name
>> is the part on the right side of the record; the left side of the
>> CNAME record is the alias.  In Kerberos, you never create principals using
>> the alias (well, you _can_, but on Unix implementations, it's almost always
>> a bad idea).
>
>If thats true, then the manual needs to be corrected.

But you haven't shown where the manual says that.

--Ken



More information about the Kerberos mailing list