Kerberos dev project for review: domain_realm mapping via KDC referral

Russ Allbery rra at
Tue Apr 29 16:58:33 EDT 2008

Ken Raeburn <raeburn at MIT.EDU> writes:

> I would ask for a patch, except I'm hesitant to put more realm-wide
> config information into the config files that have to manually be kept
> in sync across all KDCs.  (Yes, some of it could be automated, if one
> wanted, but with potential per-KDC config options like pw-checking
> plugins in there too, it's not simply copying the file from KDC to KDC.)
> This sort of info should be maintained per-realm and distributed with
> the other per-realm data (principals, key, policies), but that's another
> project.
> Of course, the domain_realm mapping would now affect the KDC behavior in
> a way where it should be kept in sync realm-wide.  *sigh*

I would argue here that you're biting off more than you have to chew.
Yes, keeping KDC configuration in sync is a problem, but it's not *your*
problem.  It's a problem universal to essentially every type of UNIX
server and organizations already have mechanisms to handle this.
Stanford University uses Puppet, for example; other sites might use
Cfengine, or depot, or other systems.

As long as you provide a configuration mechanism, I think you can
reasonably leave the task of managing those configuration files to other
applications; the KDC configuration is only a small part of the
configuration that we have to manage and keep in sync across all of our
KDCs (users, authorization infrastructure, monitoring, etc.).

> Yeah, I'm starting to think that defaulting to host-principal treatment
> is the better way to go, unless Russ's unease turns into a real use case
> with bad behavior.  (I confess to a little unease myself, but I think
> it's just reluctance to change the default behavior.)

Yeah, I don't have any concrete ideas of where this would break.

> Is there really a need to turn this code off?  It shouldn't make any
> difference in returned data unless someone is actually talking to the
> KDC for the wrong realm and requesting a referral.  The KDC does to a
> bit more work, mainly examining the domain_realm mapping data.

The only thing I can think of is that we use some namespaces for
explicitly non-host principals (service/* around here), and the service
name might contain a period for some reason but the "domain" be something
completely random.

Russ Allbery (rra at             <>

More information about the krbdev mailing list