[235] in Kerberos
Hostname-instance problems
daemon@TELECOM.MIT.EDU (Jon Rochlis)
Wed Oct 28 14:20:59 1987
From: Jon Rochlis <jon@ATHENA.MIT.EDU>
To: Saltzer@ATHENA.MIT.EDU
Cc: treese@ATHENA.MIT.EDU, kerberos@ATHENA.MIT.EDU, treese@ATHENA.MIT.EDU
In-Reply-To: Jerome H. Saltzer's message of Wed, 28 Oct 87 11:20:52 EST <8710281620.AA12417@HERACLES.MIT.EDU>
This also has to do with the relationship between Kerberos realms and
namespace domains. For example we had the frats (and the SIPB)
in their own domain, but using the Athena Kerberos realm. Since the
instance for service keys wasn't fully qualified, you had to be
careful about name assigment. (E.g. rlogin into binkley.sipb.mit.edu
by getting tickets for rcmd.binkley, but that implies that there isn't
a binkley.mit.edu).
This is a can of worms, and really should be solved, but is it too
much to deal with in the first release. See Jeff's message to the
kerberos list on July 9 of this year for more of the problem
(transaction [0206] in the kerberos discuss meeting on achilles).
I think a shipped Kerberos should probably use the fully qualified domain
names for service instances, and we should seriously consider doing
that ourselves (even with the flag day, or duplicate entries that that
would imply).
-- Jon
