> You ask to have these realms removed.
> My question is what harm is done by having them there?
> So, I'll admit a certain frustration that rather than answering
> the questions I asked you responded with your own questions.
Fair enough: as a sysadmin, when I enter answers for package
installation, I expect the the resulting set up to reflect those answers.
When I install LDAP packages, and I enter the URI for my LDAP server/s,
I don't expect MIT's to be there or the University of Toronto's (whose
campus is physically right across the street from my office).
When I enter the smart relay for (say) Postfix, I don't expect a value
that contains the value for 1ts.org or doomcom.org in my main.cf.
Similarly when I enter my Kerberos domain, I expect it, and only it, to
be in the resulting configuration.
The harm is the violation of POLA: principle of least astonishment.
https://en.wikipedia.org/wiki/Principle_of_least_astonishment
As you say, this isn't a huge, huge deal, but as someone who works in
*.oicr.on.ca, I fail to see how it can be justified to have *.mit.edu,
*.standord.edu, *.cmu.edu, *.doomcom.org, *.gratuitous.org, *.1ts.org,
*.gnu.org, *.ihtfp.org, and *.utoronto.ca in my default configuration.
If I automate an install, I would want to pre-seed the answer to
"krb5-config/default_realm" and get a sane result. Having to go in an
afterwards and tweak the configuration to something that reflects our
environment should not be necessary.
If you want have examples, perhaps use "example.{com,org,net}" from RFC
2606/6761. At the very least, have others' commented out so they're not
live.
If you want to bump this down to "wishlist", feel free.
P.S. The values that are currently present don't seem to be correct. For
example:
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
ANDREW.CMU.EDU = {
kdc = vice28.fs.andrew.cmu.edu
kdc = vice2.fs.andrew.cmu.edu
kdc = vice11.fs.andrew.cmu.edu
kdc = vice12.fs.andrew.cmu.edu
admin_server = vice28.fs.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
$ dig +short -t srv _kerberos._tcp.CSAIL.MIT.EDU
0 0 88 alsatian.csail.mit.edu.
$ dig +short -t srv _kerberos._tcp.ANDREW.CMU.EDU
0 0 88 KDC-02.ANDREW.CMU.EDU.
10 0 88 PPA-KDC-01.ANDREW.CMU.EDU.
0 0 88 KDC-01.ANDREW.CMU.EDU.
