Initial Auth Realm Fall-back

Russ Allbery rra at
Mon Aug 19 16:44:28 EDT 2013

"Henry B. Hotz" <hotz at> writes:

> Shouldn't the fallback option be in [appdefaults] instead?

Not if you want it to affect every library caller, which sounded like the
goal (so that it would affect kinit and any gic application).

> For the specific case of all the realms satisfying the NIST 800-63
> constraints on cross-realm relationships I think it's OK.  (From memory:
> that's all realms under the same administrative control, and all
> usernames synchronized, but don't hold me to it.)

If you have cross-realm, it's not at all clear that you would need this.
I expect it to be the most useful for client-side pseudo-merging of
multiple realms where you *don't* have cross-realm.

Russ Allbery (rra at             <>

More information about the krbdev mailing list