Kerberos dev project for review: domain_realm mapping via KDC referral
John Hascall
john at iastate.edu
Tue Apr 29 14:16:12 EDT 2008
Ken Raeburn <raeburn at mit.edu> writes:
> On Apr 28, 2008, at 19:01, Russ Allbery wrote:
> > I would prefer to be able to configure the list of services in a KDC
> > configuration file from early on rather than using a hard-coded list,
> > since we frequently run into host-based principals of types that
> > software
> > isn't already familiar with.
> I definitely think it's desirable for a site to be able to define
> their own. I'm just concerned that the default list (presumably, the
> same set as used by krb5_524_conv_principal) is going to be non-
> trivial in size anyways, and do we want sites to be able to remove
> entries relative to MIT's default settings, and/or replace the full
> list? That could be tricky without making the admin copy the default
> list into the config file and start editing from there, and that's a
> pretty ugly solution too.
PLEASE, no more evilness like the compiled in krb5_524_conv_principal
table (which we have ripped out and replaced with a config-file option
here since 1.0.5 BTW).
> .... Okay, how about this:
> [kdc]
> host_based_services = foo bar
> host_based_services = baz
As others have mentioned, I think it makes more sense to
treat */looks.like.an.fqdn as a "host_based_service" unless
there is a config-file option to turn it off. Perhaps:
[kdc]
no_host_referral = host ftp
(why you want to turn those two off escapes me, but go with it)
and perhaps even an option to just turn it off entirely:
[kdc]
host_referral = no
John
More information about the krbdev
mailing list