Realm lookups again

Greg Hudson ghudson at MIT.EDU
Sat Oct 4 10:36:46 EDT 2008

Thanks for the input so far.  One final (I hope) question about the
host->realm heuristic:

    domain = fqdn;
    while (domain.label_count > 2) {
	domain = pop_label(domain);
	realm = domain2realm(domain); /* for ASCII: toupper() */
	if (lookup_kdcs(realm) > 0)
	realm = NULL;

Is there any reason not to check the domain itself as a realm?  For
example, if you are doing Kerberized HTTP authentication to,
would you not want the client to intuit that the appropriate realm of is SUN.COM?

(I reviewed the Dec 2006 and April 2008 threads about this topic, and
found no direct discussion of this specific point.)

More information about the krbdev mailing list