[238] in Zephyr Mailing List
Re: Interrealm support issues
daemon@ATHENA.MIT.EDU (Derek Atkins)
Fri Jan 3 09:33:00 1997
Date: Fri, 3 Jan 1997 09:31:06 -0500
From: Derek Atkins <warlord@MIT.EDU>
To: Derrick J Brashear <shadow@DEMENTIA.ORG>
Cc: zephyr@MIT.EDU
In-Reply-To: "[237] in Zephyr Mailing List"
There are actually two issues in terms of Kerberos realm vs. zephyr realm.
1) There is the kerberos realm associated with the sender (and
receipient) principals. For example, I am "warlord@ATHENA.MIT.EDU".
This doesn't change when I use various realms.
2) There is the kerberos realm accociated with the zephyr realm (or
perhaps it should be "zephyr servers?" within the zephyr realm).
Currently, zephyr assumes that these two "realms" (the recipient
principal realm and the zephyr kerberos realm) are the same. They
don't necessarily have to be. Moreover, the zephyr should not need to
match the zephyr kerberos realm (similar to AFS).
For example, we should be able to setup a SIPB.MIT.EDU zephyr realm
which uses the ATHENA.MIT.EDU kerberos realm for authentication
(similar to how the sipb.mit.edu AFS cell uses ATHENA.MIT.EDU kerberos
authentication).
To do inter-realm zephyr properly, we need, most likely, to change the
protocol. If we change the protocol, then none of the current
application will work, so we can feel free to change how zephyr
behaves (we can always provide backwards compatibility in the local
server). The problem is that unless we make assumptions that probably
aren't valid, the protocol doesn't have enough fields to support
everything we want to do.
Ideally, we should have the following information in terms of
addressing a zephyr message:
sender principal
sender host
recipient principal
class/instance...
zephyr realm <== not in current protocol
Next, there needs to be a mechanism to convert the zephyr realm to a
kerberos realm. I'd recommend a similar method to what afs does:
zephyr.athena.mit.edu@ATHENA.MIT.EDU
zephyr.sipb.mit.edu@ATHENA.MIT.EDU
zephyr.andrew.cmu.edu@ANDREW.CMU.EDU
etc.
If we're going to change the protocol, we might as well fix all of the
protocol problems, too. I've heard ideas murmured about other
possible changes to the protocol. Perhaps those people can chime in
with their ideas?
If we are not going to change the protocol, then we must make the
assumption that zephyr realm == zephyr kerberos realm == recipient
principal realm.
-derek
