Standard mechanisms to manage domain->realm mappings in multi-domain infrastructure
Jeffrey Altman
jaltman at secure-endpoints.com
Wed Aug 15 23:38:11 EDT 2007
Danny Mayer wrote:
> Newman, Edward (GTI) wrote:
>> What are the preferred mechanisms to manage DNS domain to Kerberos Realm
>> mappings in large implementations?
>>
>> I want to avoid having to redistribute a krb5.conf to every client each
>> time this changes so was wondering how others have solved this problem.
>>
>
> How often do you think this changes and what is wrong with the SRV
> records that Kerberos currently uses?
SRV records are not used for domain to realm mappings.
The TXT records described in a long expired I-D provided such
functionality but it is vulnerable to MITM attacks unless DNSsec is used.
The reason this is an issue is if your organization's domain is foo.com
and you have both a MIT realm and an AD realm where the hosts in the two
realms both belonging to the foo.com domain. In this situation the
organization must list each individual host that provides a service in
the krb5.conf domain_realm section. As you add or remove hosts, you
must update the krb5.conf files. This is exactly the reason why KDC
referrals are so important for scalability.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070815/eddc7aee/attachment.bin
More information about the Kerberos
mailing list