[16329] in Kerberos_V5_Development
Re: Project Review: kinit -C
daemon@ATHENA.MIT.EDU (John Hascall)
Fri Sep 17 07:58:06 2010
To: Kerberos Devel list <krbdev@mit.edu>
Date: Fri, 17 Sep 2010 06:58:02 CDT
Message-ID: <4630.1284724682@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Nicolas Williams <Nicolas.Williams@oracle.com> writes:
> Now, the answer to your question... If you're going to run multiple
> KDCs on one system w/o virtualization, then you'll need to use non-
> default ports. [if you assume your point below] ...
> Also, allowing multiple KDCs on different network interfaces would add
> significant complexity to the network re-configuration code and/or would
> mean that krb5kdc and kadmind cannot adjust automatically to network
> configuration.
I'm wondering why this would be. I'm thinking this isn't much more
than a config file and/or command line option a la '-i eth0' and
and an if-statement here or there. In fact, even in the absence of
multiple KDCs I would think restricting which interface you would
talk to might be a good thing.
Also, perhaps I haven't been paying close enough attention, but what is
the use case for adding the complexity of automatically dealing with
network reconfiguration. For example, our KDCs have had the same
IP addresses for over 20 years, so for us at least, I'm not seeing a value.
> Virtualization is an easy answer here.
Perhaps we're paranoid, but it's not one I ever see us
using on something like a KDC.
John
-------------------------------------------------------------------------------
John Hascall, john@iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services)
IT Services, The Iowa State University of Science and Technology
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
