Realm lookups again

Greg Hudson ghudson at MIT.EDU
Thu Oct 2 02:35:18 EDT 2008

Here is my current thinking on the patch, based on the discussion so far:

1. The default_realm part of the patch is of limited value.  It's not a 
safe default, which means it can't (without compromising security) 
accomplish the goal of making Kerberos work with zero configuration.  
Once there is any kind of configuration requirement, people are better 
off configuring the default realm.

2. The host->realm part of the patch would let people throw away most of 
their domain_realm table.  So does ; I 
would be interested to know what the status of that project is, and 
whether people think it would supplant the need for a DNS heuristic or 
complement it.  Or if people think the DNS heuristic is a better idea 
than domain realm referrals.

Assuming we do want the code for the DNS heuristic for host->realm 
mappings, it has some security implications when used in combination 
with dns_lookup_kdc (which is on by default), and therefore should not 
be turned on by default.  I am open to opinions on what the 
configuration schema should be for enabling it; there is some room for 
confusion with the existing dns_lookup_realm variable.

Thanks for the input so far.

More information about the krbdev mailing list