Implicit REALM/DNS Mapping

Greg Hudson ghudson at
Tue Jan 31 14:45:47 EST 2017

On 01/31/2017 05:36 AM, Nathaniel McCallum wrote:
> Currently, GSSAPI will select a non-default ccache if a realm/domain
> mapping exists in krb5.conf. However, this doesn't work if the KDC was
> found via discovery. Does MIT have any thoughts about implying an
> implicit mapping in this case?

I think I understand the problem to be solved, but I'm not sure how an
implicit mapping would work.  KDC discovery doesn't help us to know what
realm a server host is in; it only tells us how to contact the KDCs for
a realm once we know its name.

Rick van Rein's proposed discovery solution to this problem is
DNSSEC-secured TXT records.  There are some difficulties inherent to
implementing that, so while there is an open PR for it ( ) it has not been merged.

Another possible solution to this specific problem is to use the
fallback realm for the purpose of GSSAPI ccache selection when no
authoritative realm, since referrals cannot be performed before a ccache
is chosen.  The most commonly applicable fallback is "chop off the first
component and convert to uppercase," ( -> BAR.BAZ).

More information about the krbdev mailing list