Standard mechanisms to manage domain->realm mappings in multi-domain infrastructure

Newman, Edward (GTI) edward_newman at ml.com
Thu Aug 16 09:46:48 EDT 2007


One additional comment on example below - having more than one realm
within one DNS domain is likely to cause a lot of pain as you will not
be able to use SRV records for KDC identification. 

Jeffrey Altman wrote:

The reason this is an issue is if your organization's domain is foo.com
and you have both a MIT realm and an AD realm where the hosts in the two
realms both belonging to the foo.com domain.   In this situation the
organization must list each individual host that provides a service in
the krb5.conf domain_realm section.  As you add or remove hosts, you
must update the krb5.conf files.  This is exactly the reason why KDC
referrals are so important for scalability.

___________________________________
Edward Newman
GTI A&E Identity & Naming Services
Merrill Lynch, 9th Fl, 222 Broadway, New York, NY 10007, USA
Phone : +1-212-670-1546  Cell: +1-917-975-2356
--------------------------------------------------------

This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.
--------------------------------------------------------




More information about the Kerberos mailing list