On Jul 29, 2008, at 08:49, Abhishek Chowdhury wrote: > Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If > I go > through the method above then I have to enter the 400 entries > separately for > the services in AMIT.ABHI.COM. Also I cannot write abhi.com = > AMIT.ABHI.COM > or .abhi.com=AMIT.ABHI.COM because it is already used for AS.ABHI.COM. > > So is there any workaround for this problem. > Changing of DNS name is also not possible. > Any pointers in this regard will be very helpful.
If you can add TXT records for the hosts in AMIT, you could enable the use of these TXT records on all the clients; it's a theoretical security weakness, though, which is why it's off by default. The admin or install guides should mention how to set these up, I think. (Sorry, only have a few minutes right now.) You could also set up some site-wide scheme for distributing updates to the domain_realm section, but that's kind of ugly. If you set KRB5_CONFIG to a colon-separated list of files, the krb5 library code will read all of them in. If you have some site-wide shared file system, you could put a file there with the domain_realm entries for your site, but obviously there are potential security and performance issues there. Eventually we want to have a way for the KDC to supply this information, but while we've got a spec in the works, we don't have an implementation yet. Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos