[594] in Kerberos
service instance names
daemon@TELECOM.MIT.EDU (John T Kohl)
Wed Jan 11 22:41:23 1989
From: John T Kohl <jtkohl@ATHENA.MIT.EDU>
To: kerberos@ATHENA.MIT.EDU
I just thought up a scheme by which we can avoid a "flag day" of
converting the instances used by the existing Kerberos services.
Currently, most Kerberos-mediated services use principal names such as
'service.host' where 'host' is the first portion of the domain
name of the host on which the service is provided
(e.g. rcmd service on athena.mit.edu --> rcmd.athena).
What really should be used as the instance name is the official domain
name of the providing host. The impediment in conversion is replacing
all the clients which expect to present tickets for service,host rather
than service,host.domain.
What could be done to ease the conversion synchronization problem is to
provide the same service key for BOTH style principal names to the
service-providing programs, and let them sort out the requests. This
would allow interoperability of old clients (which are probably
populous) with new servers (which are much scarcer). Eventually the
old-style principal names could be removed from the KDC database, and
the key files updated.
Comments?
John
