Null realms and servers
Sam Hartman
hartmans at MIT.EDU
Sun Dec 24 23:18:34 EST 2006
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
Nicolas> On Sat, Dec 16, 2006 at 10:51:05AM -0800, Russ Allbery
Nicolas> wrote:
>> I believe assuming the default realm will be accurate in
>> significantly more circumstances than using any algorithm based
>> on the name of the system.
Nicolas> Certainly not in multi-realm environemts, and in any
Nicolas> case, in a zero-conf environment there is no default
Nicolas> realm: one has to be discovered.
Nico, I completely understand zero-conf clients. But I don't
currently believe in zero-conf servers. You need to get the keytab
onto the machine somehow. At that point you could set a default realm
or configure a domain_realm mapping.
I don't understand how a server can perform your canonicalization
algorithm without first getting tickets. I don't think it is
appropriate for krb5_rd_req or especially krb5_kt_* to get tickets.
Again, anything taht gets you tickets to do the canonicalization could
set up a default realm or domain_realm mapping.
I do agree with you completely for the client side.
More information about the krbdev
mailing list