[241] in Kerberos
Re: Hostname-instance problem
daemon@TELECOM.MIT.EDU (Stan Zanarotti)
Thu Oct 29 17:22:33 1987
From: srz@MELANGE.LCS.MIT.EDU (Stan Zanarotti)
To: kerberos@ATHENA.MIT.EDU
Cc: treese@ATHENA.MIT.EDU
>I think a shipped Kerberos should probably use the fully qualified domain
>names for service instances, and we should seriously consider doing
>that ourselves (even with the flag day, or duplicate entries that that
>would imply).
Using fully qualified domain names as service instances doesn't solve
the entire problem; it only avoids name conflicts when the same
kerberos server serves machines with the same initial hostname (if
there were a BINKLEY.SIPB.MIT.EDU and BINKLEY.PIKA.MIT.EDU).
The problem we're running into it is answering the question: "I'm
trying to contact this host; what realm do I use to get kerberos
tickets for it?" Cliff was originally planning on having the name
service answer this question; associated with each machine is its
Kerberos realm. This never got implemented. So right now we're stuck
with the situation where either the domain name of a hostname is used
to determine the realm (as the LCS code does it), or explicitly giving
the realm on the command line with the '-k' option (as the Athena code
does it).
Jeff talked about having a UDP service that returns the kerberos realm
name for a machine; when contacting a machine, you contact this UDP
service first to determine which realm to use.
-stan
