[1723] in Kerberos
Re: Management and Kerberos
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Fri Jan 17 11:17:27 1992
Date: Fri, 17 Jan 92 10:37:03 EST
From: sommerfeld@apollo.com (Bill Sommerfeld)
To: jon@MIT.EDU
Cc: pato@apollo.com, lunt@ctt.bellcore.com, tardo@nac.enet.dec.com,
In-Reply-To: Jon A. Rochlis's message of Friday, January 17, 1992 5:14:46 am (EST)
From: jon@MIT.EDU (Jon A. Rochlis)
Date: Friday, January 17, 1992 5:14:46 am (EST)
Joe, 2 questions:
1) What does "local machine's principal name" mean? Does DCE require
each client *machine* to have an authentication identity?
No, if there isn't a key on the local machine, the DCE login routines
do not verify the KDC (because they're not able to).
2) How do you do the service name to realm name mapping? This is the
one case that you can't ask a non-trusted name service, because you
can then be fooled into getting tickets for the wrong realm (which
could work just fine). Steve Kent pointed this one out quite a while
ago.
DCE services are named through a global name system; the name of the
realm appears as part of the name of the service (or, if a
cell-relative name is given, it defaults to the local machine's
default realm).
- Bill
