Initial Auth Realm Fall-back
Russ Allbery
rra at stanford.edu
Mon Aug 19 16:44:28 EDT 2013
"Henry B. Hotz" <hotz at jpl.nasa.gov> writes:
> Shouldn't the fallback option be in [appdefaults] instead?
Not if you want it to affect every library caller, which sounded like the
goal (so that it would affect kinit and any gic application).
> For the specific case of all the realms satisfying the NIST 800-63
> constraints on cross-realm relationships I think it's OK. (From memory:
> that's all realms under the same administrative control, and all
> usernames synchronized, but don't hold me to it.)
If you have cross-realm, it's not at all clear that you would need this.
I expect it to be the most useful for client-side pseudo-merging of
multiple realms where you *don't* have cross-realm.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list