[3892] in Kerberos
Re: hierarchical realms
daemon@ATHENA.MIT.EDU (Derek Atkins)
Wed Sep 21 21:09:28 1994
To: Tai Jin <tai@nsa.hp.com>
Cc: P-Pomes@uiuc.edu, kerberos@MIT.EDU
In-Reply-To: Your message of Wed, 21 Sep 94 16:48:11 -0700.
<199409212348.AA070171291@nexus.nsa.hp.com>
Date: Wed, 21 Sep 94 20:58:02 EDT
From: Derek Atkins <warlord@MIT.EDU>
> But the longest match scheme mentioned above works for this case as well:
>
> .lcs.mit.edu LCS.MIT.EDU
> .media.mit.edu MEDIA-LAB.MIT.EDU
> .mit.edu ATHENA.MIT.EDU
>
> This heirarchical approach is more manageable.
But this is three entries, when we really only needed two, since
lcs.mit.edu defaults to LCS.MIT.EDU without a krb.realms entry.
I think the point was that administrative domains should require their
own kerberos realms, just for naming purposes if nothing else. What
is the purpose of creating subdomains? Normally it is because there
is an administrative difference between the domains. For example, the
lcs.mit.edu domain is administratively different than Athena (which
runs the mit.edu namespace). Therefore they have different kerberos
realms.
If you subdivide a namespace just for the sake of subdividing the
namespace, you are doing yourself a disservice. First, you have this
type of problem. Second, you have to make sure that all your hosts
are using different names. For example, if you have
ponderous.cc.your.site and ponderous.xx.your.site, but cc.your.site
and xx.your.site share a kerberos realm, you now have a name conflict!
How do you solve that? By making sure all the names are in a flat
namespace! But if you are doing that, then why subdomain in the first
place?
If you are going to subdomain, then you should have different
administrative control, and different administrative control means you
should have different kerberos realms/servers. If it requires you to
have N-squared shared keys so that your N subdomains work together,
well, so be it. But that is a much better solution, IMHO, than
creating long long krb.realms files because you want 20 million
subdomains to look like they are all in the same administrative
domain.
-derek
