Null realms and servers
Nicolas Williams
Nicolas.Williams at sun.com
Sat Dec 16 02:24:52 EST 2006
On Fri, Dec 15, 2006 at 07:08:52PM -0500, Jeffrey Altman wrote:
> I agree that your proposal is a finer grained approach to determining
> the realm. It does have the property that it might find the right
> realm under some circumstances, but I am aware of plenty of environments
> in which the failure to provide a domain realm mapping when combined
> with your algorithm would produce the wrong realm for the machine
> when the default realm specified in the krb5 profile is correct.
>
> For a server which is the most frequently used case of a keytab file,
> the most common configuration of the machine existing in a single
> realm (the default realm) should just work.
The point is to provide a domain2realm that works with zero
configuration; where you would need configuration to deal with
special environments then you wouldn't use this scheme.
There are many sites where this approach would provide the best possible
results given zero configuration.
And note that where this approach wouldn't work then the MIT krb5 1.5
approach wouldn't work either.
> If a machine is hosting services within multiple domains and realms,
> the administrator should be required to specify the appropriate domain
> realm mappings.
There are three approaches for dealing with multi-realm servers:
- give them multiple hostnames, one in each domain that corresponds to
the realms in question (virtualize)
- configure domain_realm relations on the _clients_ of that server
- wait for referrals
Which do you want to recommend to customers?
Nico
--
More information about the krbdev
mailing list