Use of FQDN in key (Was: Solaris 10)
Turbo Fredriksson
turbo at bayour.com
Tue Jan 10 07:21:11 EST 2006
Quoting Ken Raeburn <raeburn at MIT.EDU>:
> On Jan 10, 2006, at 03:27, Turbo Fredriksson wrote:
>> Quoting "Douglas E. Engert" <deengert at anl.gov>:
>>> The kadmin/icarus at PHUSNIKN.NET should be kadmin/
>>> icarus.phusnikn.net at PHUSNIKN.NET
>>> i.e. host names in Kerberos are always FQDN.
>>
>> Just for completeness, my extream curiosity etc. Why EXACTLY is
>> that. If the
>> DNS works perfectly (both forward and reverse), then it should be
>> possible to
>> NOT have the FQDN... ?
>
> There may be hosts from multiple subdomains in one realm. For
> example, foo.dev.example.com and foo.sales.example.com; if you use
> only the first component, host/foo at EXAMPLE.COM corresponds to which...?
>
>> And why not use IP's (other than if the IP change, the
>> key is invalid)?
Oki, point taken. I'm trying to put this information into my own
use, and I only have _one_ machine called 'foo', so that/this reason
isn't valid for _me_.
> Isn't that a pretty good reason right there?
Absolutly! I was wondering if there where any other, not so obvious
ones :)
> Also, a host may have multiple IP addresses. (Then again, it may
> also have multiple names....)
True, but (again), in my usage there's only _one_ 'primary' IP, the
rest is "sub-IP's" (used for SSL sites etc, nothing else).
More information about the Kerberos
mailing list