Implicit REALM/DNS Mapping
Simo Sorce
simo at redhat.com
Wed Feb 1 06:37:49 EST 2017
On Tue, 2017-01-31 at 14:45 -0500, Greg Hudson wrote:
> On 01/31/2017 05:36 AM, Nathaniel McCallum wrote:
> > Currently, GSSAPI will select a non-default ccache if a
> > realm/domain
> > mapping exists in krb5.conf. However, this doesn't work if the KDC
> > was
> > found via discovery. Does MIT have any thoughts about implying an
> > implicit mapping in this case?
>
> I think I understand the problem to be solved, but I'm not sure how
> an
> implicit mapping would work. KDC discovery doesn't help us to know
> what
> realm a server host is in; it only tells us how to contact the KDCs
> for
> a realm once we know its name.
>
> Rick van Rein's proposed discovery solution to this problem is
> DNSSEC-secured TXT records. There are some difficulties inherent to
> implementing that, so while there is an open PR for it (
> https://github.com/krb5/krb5/pull/560 ) it has not been merged.
>
> Another possible solution to this specific problem is to use the
> fallback realm for the purpose of GSSAPI ccache selection when no
> authoritative realm, since referrals cannot be performed before a
> ccache
> is chosen. The most commonly applicable fallback is "chop off the
> first
> component and convert to uppercase," (foo.bar.baz -> BAR.BAZ).
This is what we should do, it is the most common case of failure we've
seen to date.
Simo.
More information about the krbdev
mailing list