Standard mechanisms to manage domain->realm mappings in multi-domain infrastructure
Newman, Edward (GTI)
edward_newman at ml.com
Thu Aug 16 09:41:26 EDT 2007
Jeffrey,
Is there any documentation (apart from IETF draft) that describes the
admin procedures to maintain this (MIT and hopefully MS AD...)?
My understanding from draft is the following:
- Two realms exist REALM1.CORP.ORG and REALM2.CORP.ORG
- A server abc.us.corp.org exists in REALM2
- A client making a request for host/abc.us.corp.org to REALM1 KDC
(using REALM1 as realm) should get a referral to REALM2 through Kerberos
- Client will then follow current process to get a cross-realm ticket
and then contact KDC in REALM2 for service ticket.
Questions appear to be:
- How does REALM1 know that service is in REALM2 (especially if you have
REALM3, 4, etc)
- Does referral support returning multiple alternate realms? Does client
perform traversal of all supplied realms?
- Which technologies supports this capability today?
Concern would be that every KDC needing to maintain mappings of hostname
to realm for every trusted realm (did someone mention LDAP backend...).
Kerberos docs still show dns_lookup_realm and TXT support. Is this going
to supported long term or will you be moving to server referral as
preferred mechanism within MIT implementation? Don't see mention of
server referrals in 4.1 section of krb5-1.6.2 admin guide.
I am sure you are aware this is critical for large deployments where
managing host to realm mappings becomes complex.
Thanks
Edward
___________________________________
Edward Newman
GTI A&E Identity & Naming Services
Merrill Lynch, 9th Fl, 222 Broadway, New York, NY 10007, USA
Phone : +1-212-670-1546 Cell: +1-917-975-2356
--------------------------------------------------------
This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.
--------------------------------------------------------
More information about the Kerberos
mailing list