Kerberos dev project for review: domain_realm mapping via KDC referral

Henry B. Hotz hotz at
Tue Apr 29 12:37:21 EDT 2008

Since "host-based" is the normal situation, shouldn't the list be the  

On Apr 28, 2008, at 9:24 PM, krbdev-request at wrote:

> Date: Mon, 28 Apr 2008 17:34:58 -0700
> From: Russ Allbery <rra at>
> Subject: Re: Kerberos dev project for review: domain_realm mapping via
> 	KDC	referral
> To: MIT Kerberos Dev List <krbdev at>
> Message-ID: <873ap5o5vx.fsf at>
> Content-Type: text/plain; charset=us-ascii
> Ken Raeburn <raeburn at MIT.EDU> writes:
>> That said, I guess customers of Sun, Apple, Red Hat, etc., aren't  
>> going
>> to want to recompile things to add a new name, are they?  Okay, how
>> about this:
>> [kdc]
>>  host_based_services = foo bar
>>  host_based_services = baz
>> ...adds foo, bar, and baz to the compiled-in default list, and no  
>> option
>> to disable or subtract from the default list.  Would that be  
>> sufficient?
> That would work for me.
>>> I think having a configurable list of components is better than just
>>> looking at the second component and checking whether it looks like a
>>> hostname.
>> You mean, be able to say that, if the first component is "fred", we
>> treat component 3 as the hostname?  This is supposed to be a minimal
>> implementation -- sufficient to handle your basic host-based  
>> services,
>> nothing terribly fancy.  Just enough to be able to get rid of the
>> domain_realm specs in most client cases.
> No, rather that just because the second component is,
> don't assume that we should do referrals without verifying that the  
> first
> part of the name is really in the host_based_services list.
> -- 
> Russ Allbery (rra at             < 
> >

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list