DNS lookups and krb4 Support

Jeffrey Altman jaltman at columbia.edu
Mon Jun 2 13:33:32 EDT 2003

Sam Hartman wrote:

>>>>>>"Jeffrey" == Jeffrey Altman <jaltman at columbia.edu> writes:
>    Jeffrey> Shall we agree to alter this to read:
>    Jeffrey> 1) krb.com 2) "kerberos-iv" SRV record if "kerberos-iv"
>    Jeffrey> SRV record does not exist and does not return "." try 3)
>    Jeffrey> "kerberos" SRV record 4) "kerberos.REALM" A or CNAME
>    Jeffrey> record
>I agree this is a valid option to consider.  There is a reasonable
>probability this is what we will decide on.
>However, keep in mind that there is a large class of realms out there
>that do not support krb4 and will not ever advertize a kerberos-iv SRV
>record indicating the service is unavailable.  I'm thinking of Windows
>active directory realms.
>So,  I believe another option to consider is
>1)  krb.conf|krb5.conf
>2) kerberos-iv SRV records

Not for the KfW 2.5 release.  As I mentioned in a previous e-mail, Leash 
at the present time enforces the synchronization of the krb.con and 
krb5.ini files.  Therefore, there will be no realm information in 
krb5.conf which does not exist in krb.con.  Also, the Windows Krb4 
library does not understand the profile API at all.

When we merge the Windows Kerberos 4 library with the Krb5 Krb4 library, 
we will abandon the krb.con and krbrealm.con files.  Leash will then 
enforce synchronization between the krb.con/krbrealm.con files and the 
[v4 realm] and [v4 realm-domain] sections of krb5.conf.

- Jeff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/krbdev/attachments/20030602/f9366b68/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3590 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030602/f9366b68/attachment.bin

More information about the krbdev mailing list