Is there an alternative to krb5.conf file????

Ken Raeburn raeburn at MIT.EDU
Tue Nov 16 10:11:38 EST 2004


On Nov 15, 2004, at 17:45, Ahluwalia, Ish wrote:
> Is there an alternative to krb5.conf file to initialize and setup 
> kerberos realm?  I tried to use "krb5_set_default_realm" API call, but 
> it didn't work.  This api call asks for a char* to realm name which I 
> provided for e.g. "REALM.COM".  But some how when I use the API calls 
> "krb5_sname_to_principal" and "krb5_unparse_name", kerberos prints a 
> service name "service/nj.domain.com at domain.com".  I service name 
> should have been "service/nj.domain.com at REALM.COM".
> Any insight into this will be highly appreciated.

I believe that call sets the default local realm, not a single realm to 
use for all hosts you might try to contact.  Host-based service 
principal names are still constructed by trying to determine a realm 
for the indicated host.

> Essentially, I want to get away from setting up any kind kerberos 
> configuration file for realm setup and want to do it through Kerberos 
> API in an automated way.

If you create a config file with "dns_lookup_realm = yes" in the 
"libdefaults" section, the library will look up TXT records in DNS when 
trying to determine the host name to realm name mapping, so if you add 
these records you could avoid realm-specific config information.  This 
should be covered in the documentation.  However, it's a bit less 
secure, so we don't turn it on by default, and you shouldn't expect 
that other sites will be publishing such records.

Ken



More information about the Kerberos mailing list