[4402] in Kerberos
Re: krb.realms in K4
daemon@ATHENA.MIT.EDU (warlord@MIT.EDU)
Thu Dec 22 19:10:24 1994
From: warlord@MIT.EDU
Date: Thu, 22 Dec 94 17:01:20 EST
To: mattp@apertus.com (Matt Perry)
Cc: kerberos@MIT.EDU
In-Reply-To: "[4392] in Kerberos"
> Is this example correct?
You seem very confused as to what krb.conf and krb.realms do. First,
krb.conf on a machine will state two things. First, it states what
the default realm is, and second, it enumerates the realms that that
client knows about. So, if I had a krb.conf that said:
MEDIA-LAB.MIT.EDU
ATHENA.MIT.EDU kerberos.mit.edu
MEDIA-LAB.MIT.EDU toxicwaste.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
This would mean that "kinit warlord" would try to get me tickets in
the MEDIA-LAB kerberos realm, since MEDIA-LAB is the default realm.
It says nothing about where my services are located.
Now, for krb.realms:
FOO.BAR.EDU REALM3
HOST1.FOO.BAR.EDU REALM2
HOST2.FOO.BAR.EDU REALM2
HOST3.FOO.BAR.EDU REALM1
.FOO.BAR.EDU REALM3
This means that a client, when connecting to HOST1, will try to get
service.host1@REALM2, for HOST2 it will try service.host2@REALM2, and
for HOST3 it will attempt to get service.host3@REALM1.
You want _all_ kerberos client machines to have access to the same
krb.realms file, and the krb.conf file should detail the default realm
and enumerate all realms that you know of.
I don't know why you'd want to have such a silly setup as this, but
you might.
I hope this helps.
-derek
