Reading kerberos-adm from DNS: when will MIT-krb support this?
Ken Raeburn
raeburn at MIT.EDU
Mon Mar 12 17:48:05 EDT 2007
On Mar 12, 2007, at 1:11, Marcus Watts wrote:
> cpkrb0703 at melvex.xs4all.nl writes:
>> Date: Sun, 11 Mar 2007 22:24:44 +0100
>> From: Bastian <cpkrb0703 at melvex.xs4all.nl>
>> To: kerberos at mit.edu
>> Subject: Reading kerberos-adm from DNS: when will MIT-krb support
>> this?
>>
>> Hi,
>>
>> In the release notes I read that in the future, MIT kerberos will be
>> able to read the name of the administrative server from DNS (through
>> kerboros-adm). Does anyone know when this is going to be implemented?
>>
>> MIT kerberos already implements the use of the other kerberos related
>> DNS records, but kerberos-adm still requires a local krb5.conf
>>
>> Bastian
>
> I believe the future has already arrived. Current MIT code should
> be capable of finding and using records like this:
>
> spam% dig _kerberos-adm._tcp.umich.edu srv
This is used for the password-changing service, but unfortunately the
RPC code used for the kadmin program still looks up admin_server, and
uses the first IP address found when looking up that hostname. No
DNS, one hostname, one address, no service-location plugin support,
no IPv6. These do need to be fixed....
Ken
More information about the Kerberos
mailing list