Kadmin service principal revisited

[Douglas E. Engert]

Sam Hartman wrote:
> 
> Greetings.  As you may recall we agreed some time early this year that
> we would change the kadmin service principal from kadmin/admin at REALM
> to kadmin/hostname at REALM in order to be compatible with Sun as we
> picked up the the new RPC code.
> 
> Having audited many of  the related patches, I'd like to revisit this
> decision.
> 
> This change seems to have a number of negative effects.  First, it
> assumes than the hostname returned by gethostname() is related to the
> name of the interface on which clients will connect.  I.E. it assumes
> that gethostbyname(gethostname()) will give you right principal
> component to use.

But isn't this the same situation we have when contacting a multi-homed
host using the host/hostname principal? There does not appear to
be any difference with this service as with any other service in the use
of hostnames.  

Also I thought the name would come from the krb5.conf or srv records,
so should have a full name. 


> 
> I'm concerned that this will be a regression in usability.  In
> particular, I believe it will work less well with multi-homed hosts,
> will have more of a DNS dependence, and will  be harder to support.
> 
> However, if we keep kadmin/admin, we will have replay cache issues if
> we ever go to a multi-master setup and we will have an unnecessary
> incompatibility with Sun.  It's my understanding from Sun that they
> consider any compatibility with our admin protocol an accident, so
> even if we happen to be compatible with Sun, there is no guarantee
> that will be the case in the future.
> 
> What do people think?
> 
> --Sam
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444