[domain_realm] question
Sam Hartman
hartmans at MIT.EDU
Wed Feb 4 21:02:57 EST 2004
>>>>> "Inger," == Inger, Slav (S B ) <vinger at ford.com> writes:
Inger,> Final question for today: is it explicitly disallowed for
Inger,> separate realms to map to a single DNS domain in
Inger,> [domain_realm] section? We have a situation where users
Inger,> belonging to separate realms are in the same DNS domain
Inger,> and cross-realm authentication for these users is a must.
Inger,> When I tested this, Kerberos would get confused and deny
Inger,> cross-realm authentication requests. Just making sure I
Inger,> wasn't missing anything when I tried it. If this is
Inger,> currently not an option, some thought needs to be given to
Inger,> scalability issues Kerberos faces in large heterogenous
Inger,> environments.
domain_realms maps domains to realms. IT's a mapping. That means it
is a a function taking domains as input and giving realms as output.
One property of functions and mappings is that they have one value for
any given input.
Meaning that yes it is disallowed for one domain to map to multiple
realms, and this restriction is not a restriction in the code but more
a fundamental property of the problem being solved.
More information about the Kerberos
mailing list