[36937] in Kerberos
Re: theory behind unique SPNs
daemon@ATHENA.MIT.EDU (Roland C. Dowdeswell)
Mon Apr 27 11:25:34 2015
Date: Mon, 27 Apr 2015 11:24:16 -0400
From: "Roland C. Dowdeswell" <elric@imrryr.org>
To: Ben H <bhendin@gmail.com>
Message-ID: <20150427152416.GA20242@roofdrak.imrryr.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAAd7auamOeqou_hXW9X06zRHu5OuircAsqoi6ORf0Gx0kz1gdQ@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sun, Apr 26, 2015 at 07:08:38AM -0500, Ben H wrote:
>
> Thanks all. Continued appreciation for your contributions and guidance.
Although I am not sure if it influenced the original design decisions,
there are also some operational benefits. At a lot of companies,
you may have different teams responsible for different services
running on the same hosts. If they use different names then they
do not place constraints on each other. This can become important
if the software uses different Kerberos libraries that, e.g. support
different encryption types. Or if you are using JGSS and want to
do key rotation as JGSS does not re-read the keytab without restarting
a service---in this case, having separate names and hence keys
allows the different pieces of software to rotate their keys on a
separate schedule.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
