Null realms and servers

[Nicolas Williams]

On Sun, Dec 24, 2006 at 11:18:34PM -0500, Sam Hartman wrote:
> Nico, I completely understand zero-conf clients.  But I don't
> currently believe in zero-conf servers.  You need to get the keytab
> onto the machine somehow.  At that point you could set a default realm
> or configure a domain_realm mapping.

Zero-conf servers need acceptor credentials, true, but if they need
nothing else that would need to be maintained, that'd be great.

Now, servers don't need domain_realm relations, so this is not an issue
for servers.

Servers do need capaths info though.  I can see servers w/o capaths info
always accepting x-realm tickets whose transit paths are hierarchical
(or with hierarchical short-cuts) or where the server's KDC checked
transited policy, but rejecting transits that are not hierarchical and
not checked by the KDC.  Servers that would reject some hierarchical
tansit paths should have to have local configuration.

> I don't understand how a server can perform your canonicalization
> algorithm without first getting tickets.  I don't think it is
> appropriate for krb5_rd_req or especially krb5_kt_* to get tickets.

If the server is trying to canonicalize its own principal name then
lookups in its keytab can replace the role of the TGS exchanges in my
proposal.

> Again, anything taht gets you tickets to do the canonicalization could
> set up a default realm or domain_realm mapping.

But we don't have a protocol to download domain_realm and capaths data.
Nor do we need any if we can find defaults that are appropriate to the
vast majority of would be zero-conf clients (and servers).

> I do agree with you completely for the client side.

W.r.t. host2realm, canonicalization, or both?

Nico
--