Single DNS domain for Multiple Kerberos V5 Realms ?
Douglas E. Engert
deengert at anl.gov
Fri Sep 16 10:58:13 EDT 2005
yangurazov, rinat wrote:
>
> "The [domain_realm] section provides a translation from a domain name or
> hostname to a Kerberos realm name"
> ^^^^^^^^
>
> from:
> http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.2/doc/krb5-admin/domain_realm.
> html#domain_realm
>
> You may have add the individual hostnames.
>
> Or add more DNS subdomains and rename your hosts to distinguish between the
> realms,
> you imply it is a "test.domain"
>
> [Rinat] Thank you.
> 1 case will make krb5.conf thouthands lines long.
> 2 case is not a good idea for existing DNS infrastructure (actually not only
> DNS infrastructure will be impacted) + adds more TCO to it.
> I was wondering if there is way to have this type of record in
> [domain_realm] section?
>
> .test.domain.com = WINDOWS.ROOT.REALM ; CHILD1.WINDOWS.ROOT.REALM ;
> CHILD2.WINDOWS.ROOT.REALM
>
>
So you are saying, try one realm, and it it fails try the next?
I don't know of any code like that .
But there is:
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-06.txt
which allows a client to ask the user's KDC for a service ticket. If the KDC
can't do it, the KDC will refer the client to the realm the KDC thinks the server
is in. The client will then try that realm.
Windows clients and the Windows AD can do this, where all the realms in question
are in the forest. The KDC uses the Global catalog to look up the realm of host.
(SSPI on windows knows how to use this.)
But this draft is not yet implemeted in any other Kerberos as far as I know.
And there is still a problem if you are trying to do cross realm between
AD and some other Kerberos realm, as it is not clear how to update the global
calalog so referrals outside the forest can be made.
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list