On Wed, Jul 6, 2011 at 1:01 PM, Ken Hornstein <k...@cmf.nrl.navy.mil> wrote: > The answers: > > - Multihomed hosts (we want to connect to a particular interface, but > we want to use one canonical name, because adding a new keytab for a > new interface is more of a pain than simply changing the reverse DNS). > This also comes into issue when you're doing cross-domain multihoming > where the host is in another domain (and other Kerberos realm), and > yes, we do that too (but thankfully not that often).
This can be handled by principal name aliasing on the KDC (which Heimdal supports). You still need the additional keytab entries (but not additional actual principals) OR Heimdal's try-all-keys-with-same-enctype/kvno/realm approach when a key cannot be found by matching on principal name. > - Hostname masquerading, where the host has a CNAME pointing to the > "real" name, but for various reasons we want the name used by Kerberos > to be the CNAME. Same answer, I think. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos