1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
Mapping hostnames onto Kerberos realms is done in one of two ways.
The first mechanism, which has been in use for years in MIT-based
Kerberos distributions, works through a set of rules in
the @code{krb5.conf} configuration file. (@xref{krb5.conf}.) You can
specify mappings for an entire domain or subdomain, and/or on a
hostname-by-hostname basis. Since greater specificity takes precedence,
you would do this by specifying the mappings for a given domain or
subdomain and listing the exceptions.
The second mechanism, recently introduced into the MIT code base but not
currently used by default, works by looking up the information in
special @code{TXT} records in the Domain Name Service. If this
mechanism is enabled on the client, it will try to look up a @code{TXT}
record for the DNS name formed by putting the prefix @code{_kerberos} in
front of the hostname in question. If that record is not found, it will
try using @code{_kerberos} and the host's domain name, then its parent
domain, and so forth. So for the hostname
BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
@smallexample
_kerberos.boston.engineering.foobar.com
_kerberos.engineering.foobar.com
_kerberos.foobar.com
_kerberos.com
@end smallexample
The value of the first TXT record found is taken as the realm name.
(Obviously, this doesn't work all that well if a host and a subdomain
have the same name, and different realms. For example, if all the hosts
in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM
realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in
another realm. In that case, you would set up TXT records for all
hosts, rather than relying on the fallback to the domain name.)
Even if you do not choose to use this mechanism within your site, you
may wish to set it up anyway, for use when interacting with other sites.
|