Differentiated kdc lists
Derek Atkins
warlord at MIT.EDU
Thu Dec 9 09:44:17 EST 2004
"Henry B. Hotz" <hotz at jpl.nasa.gov> writes:
> I have to support clients behind firewalls that may air-gap. I'm
> providing slave kdc's in those areas, so functionality will exist,
> but. . .
If the machines are air-gap'ed how does the slave kdc sync to the
master kdc? If the KDCs can talk, then you are not air-gapping.
A real air-gap also implies separate DNS servers, so just use
different zone information for the Kerberos SRV records in the outside
zone vs. the airgap zone to point to the air-gap "slave" kdc.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the krbdev
mailing list