One DNS domain - three realms ?
Ken Raeburn
raeburn at MIT.EDU
Mon Jun 6 16:14:14 EDT 2005
On Jun 6, 2005, at 06:42, Manel Euro wrote:
> My company has the following situation:
>
> We have one large DNS domain sgi.nl and we are planning on creating
> three realms:
>
> SGI.NL
> A.SGI.NL
> B.SGI.NL
>
> When configuraing my kerberos clientes there is a [domains_realm] tab
> where should put my domains to realm maps.
Yes, this is where the mapping goes. But if machines in one DNS domain
are being mapped to three realms, you're going to have to list each
machine individually instead of simply mapping the entire domain:
[domain_realm]
host1.sgi.nl = SGL.NL
host2.sgi.nl = A.SGI.NL
host3.sgi.nl = B.SGI.NL
Or, rather, you could make one realm the default and just list all of
the machine in the other realms:
[domain_realm]
.sgi.nl = SGI.NL
host2.sgi.nl = A.SGI.NL
host3.sgi.nl = B.SGI.NL
Either way, this will be a bit of a headache if/when you add new
machines not in the default realm, as you'll need to update all the
config files.
There is also an option "dns_lookup_realm" in the "libdefaults" section
of the config file which, if turned on, will cause a DNS TXT record
_kerberos.<FQDN> to be checked and, if it's found, the result used as
the realm name for the host <FQDN>. However, this option is turned off
by default as it introduces a security risk.
Ken
More information about the Kerberos
mailing list