[30040] in Kerberos
Re: Question about dns_lookup_realm and domain_realm
daemon@ATHENA.MIT.EDU (Jos Backus)
Fri Jun 27 12:07:53 2008
Date: Fri, 27 Jun 2008 09:06:53 -0700
From: Jos Backus <jos@catnook.com>
To: Jeffrey Altman <jaltman@secure-endpoints.com>
Message-ID: <20080627160653.GA18782@lizzy.catnook.local>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4864DF03.2030008@secure-endpoints.com>
Cc: kerberos@mit.edu
Reply-To: jos@catnook.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Jun 27, 2008 at 08:37:23AM -0400, Jeffrey Altman wrote:
> > That's something my patch changes as it performs the DNS lookup first (when
> > configured).
> Which in turn would disable Kerberos referrals.
Good to know. If referrals solve my problem, I'll set that up.
> There is a serious need for the zero configuration solution for Kerberos
> deployments.
> Of course, DNS is insecure so relying on DNS to boot strap your
> authentication system
> is undesirable. That is not to say it has not been used but only
> because there have
> been no other choices.
Amen.
> For referrals to work the user must have already obtained a TGT. If you
> are trying to decide
> which identity a user should obtain a credential for based upon the host
> that the user is going
> to communicate with, that is not something that will be solved by
> referrals.
Understood. Thankfully that's not the issue here - the user already has a TGT.
> To be honest, I don't think it will be solved by domain_realm mappings
> whether stored
> locally or in DNS.
Based on what I know, I agree.
Thanks,
--
Jos Backus
jos at catnook.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
