Differentiated kdc lists
Henry B. Hotz
hotz at jpl.nasa.gov
Wed Dec 8 21:35:58 EST 2004
I have to support clients behind firewalls that may air-gap. I'm
providing slave kdc's in those areas, so functionality will exist, but.
. .
It would be nice if I could use a single krb5.conf and somehow specify
"if you're over here, use these kdc's". That e.g. allows keeping the
krb5.conf file in AFS, but also just simplifies writing set-up
instructions.
I'm not asking anyone else to do the work here. If (and I repeat, IF)
I hack something, what do people think of syntax like this:
[realms]
EXAMPLE.COM = {
kdc = kerberos01.example.com
...
altkdc = {
domain = secure.example.com
kdc = kerberos10.secure.example.com
...
}
altkdc = {
domain = test-lan.example.com
kdc = kerberos20.test-lan.example.com
...
}
}
The intended behavior would be to try the alternate kdc's first if the
local FQDN ends in one of the given domains. Then fallback to the main
kdc's (which may or may not be accessible).
Gonna' have to study the parsing routines for nested lists like this.
Any comments/words of wisdom welcome.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list