On 11-06-09 20:16, Sam Hartman <hartm...@debian.org> wrote: > Hi. > > Current KDCs actually support a better option than DNS-based referrals. > A KDC can issue a referral indicating what realm a host lives in. The > MIT and microsoft KDCs definitely support this. I believe this was > added to MIt in 1.8 or possible 1.7; Microsoft has always had it. > > The client support has been there since 1.6 or earlier. > > Is the DNS-based solution still better in your environment?
Yes. > If so, why? DNS is managed by the (independent) administrator of each realm, each new host entered there would be tagged by the responsible administrator with the appropriate realm via a _kerberos IN TXT entry. Each host needs to be tagged because administrative domains and Kerberos realms are not in sync with DNS (sub)domains and delegations for a lot of reasons I don't want to go into. Referrals on the other hand would have to be kept in sync on all realms' KDCs manually. Each new host would need to be entered into DNS as well as into each KDC configuration. Since DNS subdomains are not congruent with kerberos realms, the configuration would need to name each host specifically and assign it to a realm. While that could be automated with some effort, it would essentially duplicate what DNS does anyways. At least that is what I understood from the limited documentation available on the subject, I could very well be totally wrong and I would appreciate any advice. In our case the (not yet implemented) scenario would look something like this: A number of important host-realm associations would be configured on each KDC, so that those can be discovered via referrals. Those would also be kept in sync as far as possible across the various realms. At the same time, new hosts and services that are created would automatically work since the hostname in DNS is available at the same time as its realm association. The more secure and stable association via the KDC config can then be added later. Ciao, Alexander Wuerstlein. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
