[20406] in Kerberos_V5_Development
Re: Suggestion of change to certauth plugin interface
daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Feb 24 17:08:20 2023
Date: Fri, 24 Feb 2023 16:07:25 -0600
From: Nico Williams <nico@cryptonector.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Message-ID: <Y/k1HWixiX85BTL4@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <202212091216.2B9CGGmE027119@hedwig.cmf.nrl.navy.mil>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, Dec 09, 2022 at 07:16:14AM -0500, Ken Hornstein via krbdev wrote:
> >Does NRL use the current multiple realm KDC support? I have been
> >assuming that it's very rare to do so, because there isn't equivalent
> >support in kadmind.
>
> We do not, and I do not know of anyone that does that (but I probably
> am only familiar with the configuration of less than a dozen realms
> and most of them are in a similar environment as ours, so it doesn't
> make sense in those situations).
Heimdal, like MIT, can do it sort of. It really needs to be fully
supported. For example, if we added aliasing of realms (which Heimdal
can do), possibly using case-insensitivity, it ought to just work. Most
of the issues with multiple realms in one KDC are specific to
configuration of the KDC services, not the co-existence of multiple
realms' KDBs in one, or the KDC services being able to query multiple
distinct KDBs. There's no reason that kadmind should accept only one
`-r REALM` option, or that it should require even one -- there should be
a way to say "any realm for which there is a keytab entry" (or a KDB
entry when using the KDB as a keytab).
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
