Kerberos dev project for review: domain_realm mapping via KDC referral
rra at stanford.edu
Tue Apr 29 16:58:33 EDT 2008
Ken Raeburn <raeburn at MIT.EDU> writes:
> I would ask for a patch, except I'm hesitant to put more realm-wide
> config information into the config files that have to manually be kept
> in sync across all KDCs. (Yes, some of it could be automated, if one
> wanted, but with potential per-KDC config options like pw-checking
> plugins in there too, it's not simply copying the file from KDC to KDC.)
> This sort of info should be maintained per-realm and distributed with
> the other per-realm data (principals, key, policies), but that's another
> Of course, the domain_realm mapping would now affect the KDC behavior in
> a way where it should be kept in sync realm-wide. *sigh*
I would argue here that you're biting off more than you have to chew.
Yes, keeping KDC configuration in sync is a problem, but it's not *your*
problem. It's a problem universal to essentially every type of UNIX
server and organizations already have mechanisms to handle this.
Stanford University uses Puppet, for example; other sites might use
Cfengine, or depot, or other systems.
As long as you provide a configuration mechanism, I think you can
reasonably leave the task of managing those configuration files to other
applications; the KDC configuration is only a small part of the
configuration that we have to manage and keep in sync across all of our
KDCs (users, authorization infrastructure, monitoring, etc.).
> Yeah, I'm starting to think that defaulting to host-principal treatment
> is the better way to go, unless Russ's unease turns into a real use case
> with bad behavior. (I confess to a little unease myself, but I think
> it's just reluctance to change the default behavior.)
Yeah, I don't have any concrete ideas of where this would break.
> Is there really a need to turn this code off? It shouldn't make any
> difference in returned data unless someone is actually talking to the
> KDC for the wrong realm and requesting a referral. The KDC does to a
> bit more work, mainly examining the domain_realm mapping data.
The only thing I can think of is that we use some namespaces for
explicitly non-host principals (service/* around here), and the service
name might contain a period for some reason but the "domain" be something
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev