Null realms and servers
Jeffrey Altman
jaltman at secure-endpoints.com
Fri Dec 15 19:08:52 EST 2006
I agree that your proposal is a finer grained approach to determining
the realm. It does have the property that it might find the right
realm under some circumstances, but I am aware of plenty of environments
in which the failure to provide a domain realm mapping when combined
with your algorithm would produce the wrong realm for the machine
when the default realm specified in the krb5 profile is correct.
For a server which is the most frequently used case of a keytab file,
the most common configuration of the machine existing in a single
realm (the default realm) should just work.
If a machine is hosting services within multiple domains and realms,
the administrator should be required to specify the appropriate domain
realm mappings.
Jeffrey Altman
Nicolas Williams wrote:
> On Fri, Dec 15, 2006 at 06:51:35PM -0500, Jeffrey Altman wrote:
>> I believe that matching against the default realm is the correct
>> change for this case.
>
> It is not.
>
> Just a few days ago I discussed with Sam an alternative fallback
> host2realm resolution that Solaris will likely soon sport:
>
> If there are no domain_realm relations (by default there are none)
> and use of DNS for host2realm resolution is off (by default it is),
> then:
>
> while (the hostname has more than two domain labels) {
> strip off the leading label;
> if (find KDC for the realm that corresponds to the
> remaining domainname)
> return (realm that corresponds to the remaining dname);
> }
>
> if (there is a default realm)
> return (default realm);
>
> return (host2realm(of local host's FQDN));
>
>
> Nico
More information about the krbdev
mailing list