Realm lookups again

Nicolas Williams Nicolas.Williams at
Wed Oct 1 18:21:34 EDT 2008

On Wed, Oct 01, 2008 at 06:14:21PM -0400, Jeffrey Hutzelman wrote:
> --On Wednesday, October 01, 2008 03:28:03 PM -0500 Nicolas Williams 
> <Nicolas.Williams at> wrote:
> >It's a pretty good bet that sub-domain/sub-realm relationships imply
> >that that the child domain/realm trusts the parent not to attack it
> >willfully.  "Willfully" is a key word there; the parent might be
> >compromised and forced to attack the child.
> I'm not sure this is true.  It's entirely possible that a large enterprise 

I didn't say it was certainly true.  As I said, I think it'd be right to
default the algorithm to use only the host's domain, not any of its

> has a smaller core of trusted services which live in a separate realm, not 
> operated by the same people who operate the top-level realm, and which does 
> not trust the top-level realm.  Think of a security group within a large 
> company, or a large legal or financial firm with a small group that lives 
> behind a Chinese wall, or a government contractor with a group that does 
> classified work.

I could see that, which is why I hedged what I wrote ("pretty good

> I'm nervous about making the assumption that organizational structure 
> implies trust relationships.  It is very common to create smaller 
> organizational units which are either unusually trusted or unusually 
> distrusted compared to the rest of the organization.

I'm not arguing about what the default should be.  Just that there
should be a way to get a host2realm() that: a) is simple, b) doesn't
require KDC-side configuration of such mappings, c) doesn't require
client-side configuration of them either.

More information about the krbdev mailing list