[1718] in Kerberos
Re: Management and Kerberos
daemon@ATHENA.MIT.EDU (Joe Pato)
Thu Jan 16 14:54:45 1992
From: pato@apollo.com (Joe Pato)
Date: Thu, 16 Jan 92 13:59:22 EST
To: lunt@ctt.bellcore.com (Steve Lunt)
Cc: tardo@nac.enet.dec.com, kerberos@Athena.MIT.EDU
In-Reply-To: lunt@ctt.bellcore.com (Steve Lunt), thu, 16 jan 92 13:35:49
I would add krb.conf and krb.realm info to the list of things
that need to be managed centrally. Does anyone have any ideas how to
do this? Any code to implement it? As it stands, you need to have
the same /etc/krb.conf file everywhere. Every new realm and every
new server needs to be reflected in each krb.conf file all over.
Having such local config files is way too cumbersome for our
organization. Version 5 uses the same machanism as Version 4 for
this. Also, the global-to-local name translation (aname) should also
be managed centrally.
-- Steve
The DCE implementation of Kerberos V5 needs neither the krb.conf nor
krb.realm file. Each DCE node contains a single DCE configuration file that
identifies the cell name (aka realm name) for the machine and the local
machine's principal name. All other locating information is obtained from the
global/cell name system. The name system does not need to be trusted - the KDC
is verified by the local machine since it is a principal and only shares its
key with legitimate KDCs.
-- Joe Pato
Cooperative Object Computing Division / East
Hewlett-Packard Company
pato@apollo.hp.com
-------
