[36924] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: theory behind unique SPNs

daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Apr 24 17:21:32 2015

Date: Fri, 24 Apr 2015 16:21:15 -0500
From: Nico Williams <nico@cryptonector.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20150424212114.GA13852@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <553AABBF.4050306@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On Fri, Apr 24, 2015 at 04:46:55PM -0400, Greg Hudson wrote:
> On 04/24/2015 03:37 PM, Ben H wrote:
> > Why not simply use host/serverA.domain.com for both services?
> 
> At a protocol level, it's to support privilege separation on the server.
>  The CIFS server doesn't need access to the LDAP server key and vice versa.

And, to a lesser extent, to prevent users from getting redirected from
one service to another.

Nico
-- 
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[36924] in Kerberos

Re: theory behind unique SPNs

daemon@ATHENA.MIT.EDU (Nico Williams)Fri Apr 24 17:21:32 2015

daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Apr 24 17:21:32 2015