Realm lookups again
ghudson at MIT.EDU
Thu Oct 2 02:35:18 EDT 2008
Here is my current thinking on the patch, based on the discussion so far:
1. The default_realm part of the patch is of limited value. It's not a
safe default, which means it can't (without compromising security)
accomplish the goal of making Kerberos work with zero configuration.
Once there is any kind of configuration requirement, people are better
off configuring the default realm.
2. The host->realm part of the patch would let people throw away most of
their domain_realm table. So does
http://k5wiki.kerberos.org/wiki/Projects/domain_realm_referrals ; I
would be interested to know what the status of that project is, and
whether people think it would supplant the need for a DNS heuristic or
complement it. Or if people think the DNS heuristic is a better idea
than domain realm referrals.
Assuming we do want the code for the DNS heuristic for host->realm
mappings, it has some security implications when used in combination
with dns_lookup_kdc (which is on by default), and therefore should not
be turned on by default. I am open to opinions on what the
configuration schema should be for enabling it; there is some room for
confusion with the existing dns_lookup_realm variable.
Thanks for the input so far.
More information about the krbdev