Is there an alternative to krb5.conf file????
Ken Raeburn
raeburn at MIT.EDU
Tue Nov 16 10:11:38 EST 2004
On Nov 15, 2004, at 17:45, Ahluwalia, Ish wrote:
> Is there an alternative to krb5.conf file to initialize and setup
> kerberos realm? I tried to use "krb5_set_default_realm" API call, but
> it didn't work. This api call asks for a char* to realm name which I
> provided for e.g. "REALM.COM". But some how when I use the API calls
> "krb5_sname_to_principal" and "krb5_unparse_name", kerberos prints a
> service name "service/nj.domain.com at domain.com". I service name
> should have been "service/nj.domain.com at REALM.COM".
> Any insight into this will be highly appreciated.
I believe that call sets the default local realm, not a single realm to
use for all hosts you might try to contact. Host-based service
principal names are still constructed by trying to determine a realm
for the indicated host.
> Essentially, I want to get away from setting up any kind kerberos
> configuration file for realm setup and want to do it through Kerberos
> API in an automated way.
If you create a config file with "dns_lookup_realm = yes" in the
"libdefaults" section, the library will look up TXT records in DNS when
trying to determine the host name to realm name mapping, so if you add
these records you could avoid realm-specific config information. This
should be covered in the documentation. However, it's a bit less
secure, so we don't turn it on by default, and you shouldn't expect
that other sites will be publishing such records.
Ken
More information about the Kerberos
mailing list