Hi, we plan to use NFSv3 and Kerberos authentication.
Applications which use NFS will be provided with a keytab. In order to have individual keytabs for each instance of an application on lots of servers we plan to use principal type 3 names - NT-SRV-HST - for the clients: myapp/host1.dom@REALM myapp/host2.dom@REALM ... We have an appliance providing the NFS server facility. The appliance cuts off everything from a client`s principal name that follows the first instance. So given the example above I do not need to take care about principal mapping on the server since "myapp" equals "myapp". On one hand side this seems pretty convenient but from a security point of view I have some doubt and that is why I look for guidelines. I read the relevant chapters in RFC 1510 (7.2) and 4120 (6.2) and they do not seem to forbid the "blackbox mapping" as described above. So - does our vendor comply to the RFCs? Are there any kinds of rules or is that completely relative because principal mapping always depends on a customer`s requirements? Thanks for your insight. -- View this message in context: http://kerberos.996246.n3.nabble.com/Principal-names-mappings-and-RFCs-tp38893.html Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
