Null realms and servers
Nicolas Williams
Nicolas.Williams at sun.com
Tue Dec 19 11:42:43 EST 2006
On Tue, Dec 19, 2006 at 10:47:37AM -0500, Derek Atkins wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> writes:
>
> > - I've convinced Sam that the fallback host2realm algorithm that I
> > described, in conjunction with referrals, will be very useful.
> >
> > Specifically the algorithm we propose allows zero-configuration
> > clients to prosper in any environment that has the following
> > characteristics:
> >
> > - Realm names correspond to DNS domain names, but without
> > necessarily having a sub-realm for every sub-domain. E.g.,
> >
> > .sun.com = SUN.COM
> > .east.sun.com = SUN.COM
> > .central.sun.com = SUN.COM
>
> How do you determine the base domain for a realm hierarchy?
> E.g. what kind of algorithm do you use to decide whether
> w.x.y.z maps to Y.Z or X.Y.Z? For example, how would you
> handle myhost.oxford.ac.uk? Or even myhost.mydept.oxford.ac.uk?
> Obviously you wouldn't want this to map to domain AC.UK.
The algorithm is:
domain = fqdn;
while (domain.label_count > 2) {
domain = pop_label(domain);
realm = domain2realm(domain); /* for ASCII: toupper() */
if (lookup_kdcs(realm) > 0)
break;
realm = NULL;
}
return (realm);
This does depend on having FQDNs, which means we still have to solve the
secure hostname canonicalization problem. (More on that in a separate
thread, some other time.)
> How do you algorithmically differentiate between foo.oxford.ac.uk
> and foo.east.sun.com?
See above!
Nico
--
More information about the krbdev
mailing list