Initial Auth Realm Fall-back

Shawn M Emery shawn.emery at
Tue Aug 20 02:02:35 EDT 2013

On 08/19/13 02:44 PM, Russ Allbery wrote:
> "Henry B. Hotz" <hotz at> writes:
>> Shouldn't the fallback option be in [appdefaults] instead?
> Not if you want it to affect every library caller, which sounded like the
> goal (so that it would affect kinit and any gic application).

Yes, that was an additional goal over the current pam_krb5 solution.

>> For the specific case of all the realms satisfying the NIST 800-63
>> constraints on cross-realm relationships I think it's OK.  (From memory:
>> that's all realms under the same administrative control, and all
>> usernames synchronized, but don't hold me to it.)
> If you have cross-realm, it's not at all clear that you would need this.
> I expect it to be the most useful for client-side pseudo-merging of
> multiple realms where you *don't* have cross-realm.

Sorry, the realm names in the example should have not implied any form 
of hierarchy.


More information about the krbdev mailing list