Any workaround for [domain_realm] section
Ken Raeburn
raeburn at MIT.EDU
Tue Jul 29 06:20:32 EDT 2008
On Jul 29, 2008, at 08:49, Abhishek Chowdhury wrote:
> Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If
> I go
> through the method above then I have to enter the 400 entries
> separately for
> the services in AMIT.ABHI.COM. Also I cannot write abhi.com =
> AMIT.ABHI.COM
> or .abhi.com=AMIT.ABHI.COM because it is already used for AS.ABHI.COM.
>
> So is there any workaround for this problem.
> Changing of DNS name is also not possible.
> Any pointers in this regard will be very helpful.
If you can add TXT records for the hosts in AMIT, you could enable the
use of these TXT records on all the clients; it's a theoretical
security weakness, though, which is why it's off by default. The
admin or install guides should mention how to set these up, I think.
(Sorry, only have a few minutes right now.)
You could also set up some site-wide scheme for distributing updates
to the domain_realm section, but that's kind of ugly.
If you set KRB5_CONFIG to a colon-separated list of files, the krb5
library code will read all of them in. If you have some site-wide
shared file system, you could put a file there with the domain_realm
entries for your site, but obviously there are potential security and
performance issues there.
Eventually we want to have a way for the KDC to supply this
information, but while we've got a spec in the works, we don't have an
implementation yet.
Ken
More information about the Kerberos
mailing list