Implicit REALM/DNS Mapping

Simo Sorce simo at
Wed Feb 1 06:37:49 EST 2017

On Tue, 2017-01-31 at 14:45 -0500, Greg Hudson wrote:
> On 01/31/2017 05:36 AM, Nathaniel McCallum wrote:
> > Currently, GSSAPI will select a non-default ccache if a
> > realm/domain
> > mapping exists in krb5.conf. However, this doesn't work if the KDC
> > was
> > found via discovery. Does MIT have any thoughts about implying an
> > implicit mapping in this case?
> I think I understand the problem to be solved, but I'm not sure how
> an
> implicit mapping would work.  KDC discovery doesn't help us to know
> what
> realm a server host is in; it only tells us how to contact the KDCs
> for
> a realm once we know its name.
> Rick van Rein's proposed discovery solution to this problem is
> DNSSEC-secured TXT records.  There are some difficulties inherent to
> implementing that, so while there is an open PR for it (
> ) it has not been merged.
> Another possible solution to this specific problem is to use the
> fallback realm for the purpose of GSSAPI ccache selection when no
> authoritative realm, since referrals cannot be performed before a
> ccache
> is chosen.  The most commonly applicable fallback is "chop off the
> first
> component and convert to uppercase," ( -> BAR.BAZ).

This is what we should do, it is the most common case of failure we've
seen to date.


More information about the krbdev mailing list