[domain_realm] question

[Jeffrey Altman]

If you want to provide separate mappings of hosts to domains, then
you will have to provide domain to realm mappings for each individual
machine name



Sam Hartman wrote:

>>>>>>"Inger," == Inger, Slav (S B ) <vinger at ford.com> writes:
> 
> 
>     Inger,> Final question for today: is it explicitly disallowed for
>     Inger,> separate realms to map to a single DNS domain in
>     Inger,> [domain_realm] section?  We have a situation where users
>     Inger,> belonging to separate realms are in the same DNS domain
>     Inger,> and cross-realm authentication for these users is a must.
>     Inger,> When I tested this, Kerberos would get confused and deny
>     Inger,> cross-realm authentication requests.  Just making sure I
>     Inger,> wasn't missing anything when I tried it.  If this is
>     Inger,> currently not an option, some thought needs to be given to
>     Inger,> scalability issues Kerberos faces in large heterogenous
>     Inger,> environments.
> 
> domain_realms maps domains to realms.  IT's a mapping.  That means it
> is a a function taking domains as input and giving realms as output.
> One property of functions and mappings is that they have one value for
> any given input.
> 
> Meaning that yes it is disallowed for one domain to map to multiple
> realms, and this restriction is not a restriction in the code but more
> a fundamental property of the problem being solved.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>