[16331] in Kerberos_V5_Development
Re: Project Review: kinit -C
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Sep 17 10:42:58 2010
From: Greg Hudson <ghudson@mit.edu>
To: John Hascall <john@iastate.edu>
In-Reply-To: <4630.1284724682@malison.ait.iastate.edu>
Date: Fri, 17 Sep 2010 10:42:53 -0400
Message-ID: <1284734573.5992.1773.camel@ray>
Mime-Version: 1.0
Cc: Kerberos Devel list <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, 2010-09-17 at 07:58 -0400, John Hascall wrote:
> I'm wondering why this would be. I'm thinking this isn't much more
> than a config file and/or command line option a la '-i eth0' and
> and an if-statement here or there. In fact, even in the absence of
> multiple KDCs I would think restricting which interface you would
> talk to might be a good thing.
Feel free to take a look at kdc/main.c and lib/apputils/net-server.c and
decide where you'd put the if statement here or there. :) I don't think
it's impossible, but what we have right now is already kind of an
octopus.
> Also, perhaps I haven't been paying close enough attention, but what is
> the use case for adding the complexity of automatically dealing with
> network reconfiguration. For example, our KDCs have had the same
> IP addresses for over 20 years, so for us at least, I'm not seeing a value.
The real-world use case is mini-KDCs running on laptops or other
DHCP-configured computers. Obviously these are not traditional KDCs
serving whole organizations, but see http://support.apple.com/kb/TS1452
for instance.
Sam also came up with a use case involving a KDC running on a
hypervisor, but after discussion it sounds like the guests would still
all be using the same address (though not the same interface) to talk to
the KDC, so no rebinding is necessary.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
