Differentiated kdc lists

Henry B. Hotz hotz at jpl.nasa.gov
Fri Dec 10 03:57:28 EST 2004

On Dec 9, 2004, at 6:44 AM, Derek Atkins wrote:

> "Henry B. Hotz" <hotz at jpl.nasa.gov> writes:
>> I have to support clients behind firewalls that may air-gap.  I'm
>> providing slave kdc's in those areas, so functionality will exist,
>> but.  . .
> If the machines are air-gap'ed how does the slave kdc sync to the
> master kdc?  If the KDCs can talk, then you are not air-gapping.

Not air-gapped all the time.  kdc's synched while not air-gapped.   
Gradually drift apart while air-gapped.

To address one of Ken's comments:  we don't use DHCP, except in  
conference rooms and on wireless, so that doesn't get us much.

> A real air-gap also implies separate DNS servers, so just use
> different zone information for the Kerberos SRV records in the outside
> zone vs. the airgap zone to point to the air-gap "slave" kdc.

It does imply that (or at least a well-maintained /etc/hosts file)  
doesn't it?

It kind of boils down to ease of deployment.  The DNS servers are in  
two (maybe 3) other organizations.  They're cooperative enough, but  
getting the right differentiated SRV records would be real overhead.   
We've also got to get Windows AD moved out of the way in the main  
domain if we can.

Maybe the real question I should be asking is:  how do you deploy  
kerberized applications in AFS when:
	1) you can't assume Kerberos 5 is set up on the client workstation.
	2) the correct kdc's to use vary, and
	3) Windows AD has pre-empted some of the DNS records you ought to be  
using to solve 1 and 2.

I'm no longer sure I ought to fight this problem.  2) is inherent, but  
1) and 3) can probably be fixed well enough eventually.  Still don't  
like the short-term situation though.

Thanks for all the feedback, everyone.  I've got a clearer  
understanding of my tradeoffs now.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list