Any workaround for [domain_realm] section

Ken Raeburn raeburn at MIT.EDU
Tue Jul 29 06:20:32 EDT 2008

On Jul 29, 2008, at 08:49, Abhishek Chowdhury wrote:
> Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If  
> I go
> through the method above then I have to enter the 400 entries  
> separately for
> the services in AMIT.ABHI.COM. Also I cannot write =  
> or because it is already used for AS.ABHI.COM.
> So is there any workaround for this problem.
> Changing of DNS name is also not possible.
> Any pointers in this regard will be very helpful.

If you can add TXT records for the hosts in AMIT, you could enable the  
use of these TXT records on all the clients; it's a theoretical  
security weakness, though, which is why it's off by default.  The  
admin or install guides should mention how to set these up, I think.   
(Sorry, only have a few minutes right now.)

You could also set up some site-wide scheme for distributing updates  
to the domain_realm section, but that's kind of ugly.

If you set KRB5_CONFIG to a colon-separated list of files, the krb5  
library code will read all of them in.  If you have some site-wide  
shared file system, you could put a file there with the domain_realm  
entries for your site, but obviously there are potential security and  
performance issues there.

Eventually we want to have a way for the KDC to supply this  
information, but while we've got a spec in the works, we don't have an  
implementation yet.


More information about the Kerberos mailing list