[3890] in Kerberos
Re: hierarchical realms
daemon@ATHENA.MIT.EDU (Tai Jin)
Wed Sep 21 20:11:12 1994
Date: Wed, 21 Sep 1994 16:48:11 -0700
From: Tai Jin <tai@nsa.hp.com>
To: P-Pomes@uiuc.edu, warlord@MIT.EDU
Cc: kerberos@MIT.EDU
> > >I'd have to say this is one of the most annoying mis-designs of the
> > >implementation. A single line
> > >
> > >.iastate.edu IASTATE.EDU
> > >
> > >should suffice--the library should look for the longest matching
> > >entry. But no, there has to be one entry for each non-leaf name.
> >
> > I'll have to agree here. At UIUC we have domains per-department.
> > My last count was 201 domains with another 100+ still to be assigned.
> > I either have to pre-assign the missing domains or arrange for distribution
> > of updated krb.realms files. Even if I pre-assign, I'll still have the
> > update problem if any department changes or a new one is created.
>
> Well, this is only one possible case. Take another example:
> hosts with X.mit.edu really map to ATHENA.MIT.EDU
> hosts with X.lcs.mit.edu map to LCS.MIT.EDU
> hosts with X.media.mit.edu map to MEDIA-LAB.MIT.EDU
But the longest match scheme mentioned above works for this case as well:
.lcs.mit.edu LCS.MIT.EDU
.media.mit.edu MEDIA-LAB.MIT.EDU
.mit.edu ATHENA.MIT.EDU
This heirarchical approach is more manageable.
...tai
