Kerberos without DNS
Ken Raeburn
raeburn at MIT.EDU
Fri Mar 11 10:42:06 EST 2005
On Mar 10, 2005, at 22:12, sureshjayaram at gmail.com wrote:
> Managed to setup Kerberos without DNS server. Things to remember..
>
> (i) Have entries in /etc/hosts for all the machines, KDC server &
> kerberized server/client, so that the hostname is resolvable
Yup. Note too that the entries must agree on what the first-listed
name is, though I've seen some systems that prefer using the FQDN and
some that use just the first component.
> (ii) Principals will be of the format <user>/host at REALM instead of
> <user>/host.domain at REALM
Only if /etc/hosts lists the unqualified name first. Note that this
won't be compatible with usage in a DNS environment, as it's not
actually compliant with the specification (which says you use the
FQDN).
(And, actually, I thought at one point I'd put together some code for
looking at the second returned name if the first had no dots in it, but
maybe I didn't check it in, or maybe you're listing only one host
name.)
> (iv) This method doesn't scale
True.
Ken
More information about the Kerberos
mailing list