[1175] in Kerberos
Re: Realm name conventions
daemon@ATHENA.MIT.EDU (Jon A. Rochlis)
Thu Dec 6 14:01:59 1990
From: jon@MIT.EDU (Jon A. Rochlis)
To: hilary@snll-arpagw.llnl.gov (Hilary Jones)
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: Your message of Mon, 19 Nov 90 08:55:43 -0800.
Date: Thu, 06 Dec 90 13:17:32 EST
I have a question about realm names. If we name our realms using the
normal domain name approach, then the most specific part of the name
comes first and the most general part comes last. For example, we might
use a name like ROOM.BUILDING.SITE.COMPANY.GOV if we used the domain name
convention. On the other hand, writing it the other way around seems more
intuitive, perhaps because I am used to the way Unix files are named.
In this case, I would use GOV.COMPANY.SITE.BUILDING.ROOM. The question
is whether the arrangement of names matters from a technical point of
view. That is, does Kerberos care whether domain names are compatible
with realm names? And if it isn't an important issue now, will it
become important in the future? What if I use Hesiod?
Hesiod isn't an issue here. There's one routine in the Kerberos
library which matters (krb_realmofhost). It looks in /etc/krb.realms
to map a host name (which presumably is offering an authenticated
service you wish to use) into a realm name. If the host is listed in
krb.realms then the domain name just falls out of that (unlikely).
Otherwise the domain part of the host may be used to map into a realm.
If the domain part is listed in krb.realms the realm supplied in
krb.realms is used, other just the domain name is used.
You'll need to change krb_realmofhost and extend krb.realms if you
want to deal with both kind of domain names. (Perhaps adding a simple
type of wildcarding, i.e. GOV.COMPANY.SITE.BUILDING.* is in realm
XXX instead of just .BUILDING.SITE.COMPANY.GOV means
*.BUILDING.SITE.COMPANY.GOV maps to YYY)
It doesn't seem that bad.
-- Jon
