Proper ordering of mapping entries in [domain_realms] section of krb5.conf
Greg Hudson
ghudson at mit.edu
Tue Dec 9 13:16:18 EST 2014
On 12/09/2014 12:32 AM, Todd Grayson wrote:
> What is the proper order for the [domain_realms] section of the krb5.conf
> with regard to rules being applied when there are mixed dns FQDN, domain
> names and REALMS.
The order of relations in a profile only matters for relations of the
same name (such as multiple values of "kdc" in a realm subsection). For
[domain_realm], the library will search from most specific to least
specific regardless of the order of the domains in the profile.
> [domain_realm]
> specific-host.domain.name = REALM.NAME
> domain.name = OTHER.REALM.NAME
> .domain.name = OTHER.REALM.NAME
As an aside, you do not need a .domain.name entry if you have a
domain.name entry saying the same thing. Older versions of our
documentation suggested putting in a .domain.name entry, but there was
no reason for it.
More information about the Kerberos
mailing list