Realm lookups again
Nicolas Williams
Nicolas.Williams at sun.com
Thu Oct 2 13:38:20 EDT 2008
On Thu, Oct 02, 2008 at 02:35:18AM -0400, Greg Hudson wrote:
> Assuming we do want the code for the DNS heuristic for host->realm
> mappings, it has some security implications when used in combination
> with dns_lookup_kdc (which is on by default), and therefore should not
> be turned on by default. I am open to opinions on what the
> configuration schema should be for enabling it; there is some room for
> confusion with the existing dns_lookup_realm variable.
One possibility:
[libdefaults]
host2realm_parents = <count of parent domains to try, 0 for
none; default to 0>
Another:
[libdefaults]
host2realm_safe_parents = <count of parent domains to try, 0 for
none, but without using DNS for KDC
lookups; default to 1>
host2realm_unsafe_parents = <count of parent domains to try w/
dns_lookup_kdc, 0 for none; default
to 0>
Nico
--
More information about the krbdev
mailing list