[3905] in Kerberos
Re: hierarchical realms
daemon@ATHENA.MIT.EDU (John Gardiner Myers)
Thu Sep 22 17:10:36 1994
To: kerberos@MIT.EDU
Date: Thu, 22 Sep 1994 12:33:48 -0400
From: John Gardiner Myers <jgm+@CMU.EDU>
warlord@MIT.EDU (Derek Atkins) writes:
> But this is three entries, when we really only needed two, since
> lcs.mit.edu defaults to LCS.MIT.EDU without a krb.realms entry.
So you need at least one krb.realms entry for each Kerberos realm.
Big deal, you need at least one krb.conf entry for each Kerberos
realm. This is a lot easier to track than one entry per non-leaf DNS
names.
> Whatis the purpose of creating subdomains? Normally it is because there
> is an administrative difference between the domains.
The purpose of creating subdomains is to distinguish a set of hosts
that commonly share some interesting property. This property may or
may not be an administrative one. An administrative difference may
not include a difference in user/password administration.
> First, you have this type of problem.
This type of problem is caused by a coding deficiency in Kerberos, not
by the use of subdomains.
> Second, you have to make sure that all your hosts
> are using different names.
Why? The only reason I can think of is because krb_get_phost() throws
away information. Again, the problem is caused by a deficiency in
Kerberos, not the use of subdomains. Fortunately, this one is fixed
in V5.
> For example, if you have
> ponderous.cc.your.site and ponderous.xx.your.site, but cc.your.site
> and xx.your.site share a kerberos realm, you now have a name conflict!
> How do you solve that?
We avoid using krb_get_phost() wherever possible. We don't put
service keys on every machine.
--
_.John G. Myers Internet: jgm+@CMU.EDU
LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
