[3888] in Kerberos
Re: hierarchical realms
daemon@ATHENA.MIT.EDU (Derek Atkins)
Wed Sep 21 18:50:08 1994
To: P-Pomes@uiuc.edu
Cc: kerberos@MIT.EDU
Date: Wed, 21 Sep 94 18:17:26 EDT
From: Derek Atkins <warlord@MIT.EDU>
> >I'd have to say this is one of the most annoying mis-designs of the
> >implementation. A single line
> >
> >.iastate.edu IASTATE.EDU
> >
> >should suffice--the library should look for the longest matching
> >entry. But no, there has to be one entry for each non-leaf name.
>
> I'll have to agree here. At UIUC we have domains per-department.
> My last count was 201 domains with another 100+ still to be assigned.
> I either have to pre-assign the missing domains or arrange for distribution
> of updated krb.realms files. Even if I pre-assign, I'll still have the
> update problem if any department changes or a new one is created.
Well, this is only one possible case. Take another example:
hosts with X.mit.edu really map to ATHENA.MIT.EDU
hosts with X.lcs.mit.edu map to LCS.MIT.EDU
hosts with X.media.mit.edu map to MEDIA-LAB.MIT.EDU
How do you define a krb.realms that fits this and allows you to
add things in the future?
So, the designers came up with something that worked for them when
they created Kerberos. It might not work for everyone. C'est le vie.
Identd doesn't work for everyone, either ;-)
My point is that just because it doesn't work in your particular
instance doesn't mean that it isn't a viable way to doing it. It just
means that it isn't _YOUR_ way of doing it.
-derek
Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
Home page: http://www.mit.edu:8001/people/warlord/home_page.html
warlord@MIT.EDU PP-ASEL N1NWH PGP key available
