[domain_realm] question

Jeffrey Altman jaltman2 at nyc.rr.com
Thu Feb 5 00:11:49 EST 2004


If you want to provide separate mappings of hosts to domains, then
you will have to provide domain to realm mappings for each individual
machine name



Sam Hartman wrote:

>>>>>>"Inger," == Inger, Slav (S B ) <vinger at ford.com> writes:
> 
> 
>     Inger,> Final question for today: is it explicitly disallowed for
>     Inger,> separate realms to map to a single DNS domain in
>     Inger,> [domain_realm] section?  We have a situation where users
>     Inger,> belonging to separate realms are in the same DNS domain
>     Inger,> and cross-realm authentication for these users is a must.
>     Inger,> When I tested this, Kerberos would get confused and deny
>     Inger,> cross-realm authentication requests.  Just making sure I
>     Inger,> wasn't missing anything when I tried it.  If this is
>     Inger,> currently not an option, some thought needs to be given to
>     Inger,> scalability issues Kerberos faces in large heterogenous
>     Inger,> environments.
> 
> domain_realms maps domains to realms.  IT's a mapping.  That means it
> is a a function taking domains as input and giving realms as output.
> One property of functions and mappings is that they have one value for
> any given input.
> 
> Meaning that yes it is disallowed for one domain to map to multiple
> realms, and this restriction is not a restriction in the code but more
> a fundamental property of the problem being solved.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


More information about the Kerberos mailing list