Differentiated kdc lists

Henry B. Hotz hotz at jpl.nasa.gov
Wed Dec 8 21:35:58 EST 2004

I have to support clients behind firewalls that may air-gap.  I'm  
providing slave kdc's in those areas, so functionality will exist, but.  
. .

It would be nice if I could use a single krb5.conf and somehow specify  
"if you're over here, use these kdc's".  That e.g. allows keeping the  
krb5.conf file in AFS, but also just simplifies writing set-up  

I'm not asking anyone else to do the work here.  If (and I repeat, IF)  
I hack something, what do people think of syntax like this:

		kdc = kerberos01.example.com
		altkdc = {
			domain = secure.example.com
			kdc = kerberos10.secure.example.com
		altkdc = {
			domain = test-lan.example.com
			kdc = kerberos20.test-lan.example.com

The intended behavior would be to try the alternate kdc's first if the  
local FQDN ends in one of the given domains.  Then fallback to the main  
kdc's (which may or may not be accessible).

Gonna' have to study the parsing routines for nested lists like this.   
Any comments/words of wisdom welcome.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list