[36666] in Kerberos
Re: Proper ordering of mapping entries in [domain_realms] section
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Dec 9 13:16:48 2014
Message-ID: <54873C72.60105@mit.edu>
Date: Tue, 09 Dec 2014 13:16:18 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Todd Grayson <tgrayson@cloudera.com>, kerberos@mit.edu
In-Reply-To: <CALNT6MU23svH1C+r9bES+wRpGSS0nmKxTLt9sovFb2M3jNDkTQ@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 12/09/2014 12:32 AM, Todd Grayson wrote:
> What is the proper order for the [domain_realms] section of the krb5.conf
> with regard to rules being applied when there are mixed dns FQDN, domain
> names and REALMS.
The order of relations in a profile only matters for relations of the
same name (such as multiple values of "kdc" in a realm subsection). For
[domain_realm], the library will search from most specific to least
specific regardless of the order of the domains in the profile.
> [domain_realm]
> specific-host.domain.name = REALM.NAME
> domain.name = OTHER.REALM.NAME
> .domain.name = OTHER.REALM.NAME
As an aside, you do not need a .domain.name entry if you have a
domain.name entry saying the same thing. Older versions of our
documentation suggested putting in a .domain.name entry, but there was
no reason for it.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
