Principal names, mappings and RFCs
thomas.krauss at itserv.de
Mon Nov 11 10:11:52 EST 2013
we plan to use NFSv3 and Kerberos authentication.
Applications which use NFS will be provided with a keytab.
In order to have individual keytabs for each instance of an application on
lots of servers we plan to use principal type 3 names - NT-SRV-HST - for the
myapp/host1.dom at REALM
myapp/host2.dom at REALM
We have an appliance providing the NFS server facility.
The appliance cuts off everything from a client`s principal name that
follows the first instance.
So given the example above I do not need to take care about principal
mapping on the server since "myapp" equals "myapp".
On one hand side this seems pretty convenient but from a security point of
view I have some doubt and that is why I look for guidelines.
I read the relevant chapters in RFC 1510 (7.2) and 4120 (6.2) and they do
not seem to forbid the "blackbox mapping" as described above. So - does our
vendor comply to the RFCs?
Are there any kinds of rules or is that completely relative because
principal mapping always depends on a customer`s requirements?
Thanks for your insight.
View this message in context: http://kerberos.996246.n3.nabble.com/Principal-names-mappings-and-RFCs-tp38893.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos