[137] in Kerberos
Re: Interrealm misfeatures; alternat
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:32:49 1987
From miller%erlang.DEC@decwrl.DEC.COM Mon Nov 3 11:05:42 1986
Date: 03-Nov-1986 1042
From: miller%erlang.DEC@decwrl.DEC.COM (Steve Miller)
To: kerberos@athena.mit.edu (Distribution list @KERB),
miller%erlang.DEC@decwrl.DEC.COM
Subject: Re: Interrealm misfeatures; alternate an_to_ln
Bill's analysis of the realm problem looks right. The local ticket
file should keep track of the principal's realm, and this should
be used in mk_ap_req(). This should be a straightforward fix.
(Who is maintaining Kerberos currently?). Also, I would suggest doing
a quick "grep" of the Kerberos library looking for various uses of
the realm where it may similarly be hard-wired or ignored. The main
thing to keep in mind about the realm is that the Kerberos server
labels the tickets with the realm. All the rest is bookkeeping.
Regarding "an_to_ln()", Bill's intention is good. The original mapping
was just a simple default to get things going, and isolate the
Kerberos name space from system-specific name spaces. Before adopting
this new "an_to_ln()" on a larger scale, there should be some
discussion with the people doing the name service and service management
service. In terms of the details of Bill's suggestion, two comments:
1) The search order has to be specified, e.g. can the default
{name,"",realm} ---> <name> be overriden by the auxiliary file?
2) a local user <name> could be allowed to control all Kerberos
names that map into <name>, since <name> represents the
local resources and privileges. This allows a more general
proxy mechanism, though perhaps complicating management.
In the long run, are these mappings handled through SMS?
Steve
