Kerberos dev project for review: domain_realm mapping via KDC referral
Russ Allbery
rra at stanford.edu
Mon Apr 28 20:34:58 EDT 2008
Ken Raeburn <raeburn at MIT.EDU> writes:
> That said, I guess customers of Sun, Apple, Red Hat, etc., aren't going
> to want to recompile things to add a new name, are they? Okay, how
> about this:
>
> [kdc]
> host_based_services = foo bar
> host_based_services = baz
>
> ...adds foo, bar, and baz to the compiled-in default list, and no option
> to disable or subtract from the default list. Would that be sufficient?
That would work for me.
>> I think having a configurable list of components is better than just
>> looking at the second component and checking whether it looks like a
>> hostname.
> You mean, be able to say that, if the first component is "fred", we
> treat component 3 as the hostname? This is supposed to be a minimal
> implementation -- sufficient to handle your basic host-based services,
> nothing terribly fancy. Just enough to be able to get rid of the
> domain_realm specs in most client cases.
No, rather that just because the second component is foo.example.com,
don't assume that we should do referrals without verifying that the first
part of the name is really in the host_based_services list.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list