[245] in Kerberos
given realm, where is master kerberos server?
daemon@TELECOM.MIT.EDU (steiner@ATHENA.MIT.EDU)
Fri Oct 30 19:17:44 1987
From: steiner@ATHENA.MIT.EDU
To: kerberos@ATHENA.MIT.EDU
This is a problem I've run into when trying to set up
a new kerberos realm on another machine. (I've talked
to several people about this and most of the ideas here
are theirs, not mine. I'm just confused.)
If you want to do a write operation (like changing a
password), the Master kerberos server must be located,
unlike read-only (authentication) operations where Slave
servers will do.
Say you know what realm you want; how do you find out
which machine the master is running on? Right now, it's
assumed to be on a machine called "kerberos". Maybe this
is a good idea; that means that, given a realm; you can
always find the master kerberos server on a machine called
"kerberos".
But the way that the local realm is found, and the way a generic
(slave or master) kerberos server is found, is done differently
and maybe that model should also be used for the master. Namely,
/etc/krb_config is consulted, and if it's not there, the
#define KRB_HOST or KRB_REALM is taken as default. The master
could be designated in the krb_config file too, or default
to a #define'd KRB_MASTER.
This would certainly make testing easier on machines which
don't happen to think their name is "kerberos", but that's
not necessarily a good reason to do it.
Another related question is: could a nameserver (Hesiod)
be used in place of the /etc/krb_config file? It could
be argued that someone could impersonate the nameserver,
but it could also be argued that that wouldn't get them
very far.
Finally, does this relate to the Hostname-as-instance problem
at all? Enlightenment would be appreciated.
Jennifer
