Kadmin service principal revisited

Sam Hartman hartmans at MIT.EDU
Fri Aug 29 16:36:55 EDT 2003



Greetings.  As you may recall we agreed some time early this year that
we would change the kadmin service principal from kadmin/admin at REALM
to kadmin/hostname at REALM in order to be compatible with Sun as we
picked up the the new RPC code.

Having audited many of  the related patches, I'd like to revisit this
decision.  

This change seems to have a number of negative effects.  First, it
assumes than the hostname returned by gethostname() is related to the
name of the interface on which clients will connect.  I.E. it assumes
that gethostbyname(gethostname()) will give you right principal
component to use.

I'm concerned that this will be a regression in usability.  In
particular, I believe it will work less well with multi-homed hosts,
will have more of a DNS dependence, and will  be harder to support.

However, if we keep kadmin/admin, we will have replay cache issues if
we ever go to a multi-master setup and we will have an unnecessary
incompatibility with Sun.  It's my understanding from Sun that they
consider any compatibility with our admin protocol an accident, so
even if we happen to be compatible with Sun, there is no guarantee
that will be the case in the future.

What do people think?

--Sam



More information about the krbdev mailing list