Realm lookups again

Nicolas Williams Nicolas.Williams at
Thu Oct 2 13:38:20 EDT 2008

On Thu, Oct 02, 2008 at 02:35:18AM -0400, Greg Hudson wrote:
> Assuming we do want the code for the DNS heuristic for host->realm 
> mappings, it has some security implications when used in combination 
> with dns_lookup_kdc (which is on by default), and therefore should not 
> be turned on by default.  I am open to opinions on what the 
> configuration schema should be for enabling it; there is some room for 
> confusion with the existing dns_lookup_realm variable.

One possibility:

        host2realm_parents = <count of parent domains to try, 0 for
                              none; default to 0>


        host2realm_safe_parents = <count of parent domains to try, 0 for
                                   none, but without using DNS for KDC
                                   lookups; default to 1>
        host2realm_unsafe_parents = <count of parent domains to try w/
                                     dns_lookup_kdc, 0 for none; default
                                     to 0>


More information about the krbdev mailing list