Realm lookups again
Greg Hudson
ghudson at MIT.EDU
Sat Oct 4 10:36:46 EDT 2008
Thanks for the input so far. One final (I hope) question about the
host->realm heuristic:
domain = fqdn;
while (domain.label_count > 2) {
domain = pop_label(domain);
realm = domain2realm(domain); /* for ASCII: toupper() */
if (lookup_kdcs(realm) > 0)
break;
realm = NULL;
}
Is there any reason not to check the domain itself as a realm? For
example, if you are doing Kerberized HTTP authentication to sun.com,
would you not want the client to intuit that the appropriate realm of
sun.com is SUN.COM?
(I reviewed the Dec 2006 and April 2008 threads about this topic, and
found no direct discussion of this specific point.)
More information about the krbdev
mailing list