Null realms and servers
Sam Hartman
hartmans at MIT.EDU
Wed Dec 27 15:16:36 EST 2006
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
Nicolas> On Sun, Dec 24, 2006 at 11:18:34PM -0500, Sam Hartman
Nicolas> wrote:
>> Nico, I completely understand zero-conf clients. But I don't
>> currently believe in zero-conf servers. You need to get the
>> keytab onto the machine somehow. At that point you could set a
>> default realm or configure a domain_realm mapping.
Nicolas> Zero-conf servers need acceptor credentials, true, but if
Nicolas> they need nothing else that would need to be maintained,
Nicolas> that'd be great.
Nicolas> Now, servers don't need domain_realm relations, so this
Nicolas> is not an issue for servers.
Servers do need domain_realm relations today. Everyone who has stated
an opinion seems to believe that default_realm is more accurate than
trimming the hostname off the domain and upcasing the result (our
current behavior).
I think you're saying that you want some behavior that does not depend
on a default realm being set. It's hard to tell because you are
confusing (at least in what you write) client and server behavior.
So, I'm going to assume that we are discussing what happens when there
is no default realm set on a server.
First, I'll point out that we both agree that servers need keytabs.
Software that installs the keytab could set a default realm based on
the realm in the keytab if there is not already a default realm set.
Alternatively, as you point out, in the case where no default realm is
set you could run your algorithm against the principals in the keytab.
so, I conclude that the proposed 1.6 behavior of using the default
realm is an impprovement and does not preclude future directions we'd
like to follow.
More information about the krbdev
mailing list