Is a Kerberos principal always a DNS name?
Douglas E. Engert
deengert at anl.gov
Thu Apr 24 14:06:25 EDT 2008
Victor Sudakov wrote:
> Is a Kerberos principal always a DNS name? Can't an IP literal be used?
I think they must be names, but don't have to be in DNS. The name could
be in /etc/hosts. The client and server must agree on the name of the
server, and the KDC has to have a service principal for the server.
IPs don't tend to work, and the IP number of the service changes,
with DHCP for example, each service would have to have a keytab
with the old and new IP numbers, which is not practical, and could
have some security issues.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos