hilary@SNLL-ARPAGW.LLNL.GOV (Hilary Jones) (11/20/90)
I have a question about realm names. If we name our realms using the normal domain name approach, then the most specific part of the name comes first and the most general part comes last. For example, we might use a name like ROOM.BUILDING.SITE.COMPANY.GOV if we used the domain name convention. On the other hand, writing it the other way around seems more intuitive, perhaps because I am used to the way Unix files are named. In this case, I would use GOV.COMPANY.SITE.BUILDING.ROOM. The question is whether the arrangement of names matters from a technical point of view. That is, does Kerberos care whether domain names are compatible with realm names? And if it isn't an important issue now, will it become important in the future? What if I use Hesiod? I am asking because we have two sites, each using a different naming convention.
dme@doc.imperial.ac.uk (Dave Edmondson) (11/20/90)
hilary was enquiring about the relationship between domain names and
kerberos realms....
they do interact to some extent. if we leave aside the discussion of
how to decide whether to use big or little endian domain names (ask
any uk site about that), then i would say that it is easier if you
pick you realm to match your domain, especially if all of your hosts
used fully qualified domain names. at imperial we chose
`doc.ic.ac.uk' as both our domain name and realm, and have been bitten
by even that a few times. there is at least one place where when
trying to decide the realm of a machine (krb_realmofhost) the
machine's domain name is extracted from the hostname, and then the
whole string is capitalised. so, i would say, use the same realm name
as your domain name, and ensure that the realm name is capitalised
(DOC.IC.AC.UK). then you won't have to worry about any of these little
things.
dave.
---
Dave Edmondson, Systems Support. Opinions are all my own.
Department of Computing, Imperial College of Science, Technology and Medicine,
180 Queen's Gate, London SW7 1BZ. phone: 071-589-5111 x5085 fax: 071-581-8024
email: dme@doc.ic.ac.uk, ..!ukc!icdoc!dme, dme@athena.mit.edu
``Be selective, be objective, be an asset to the collective'' -- Jazzy Bjon@MIT.EDU (Jon A. Rochlis) (12/07/90)
I have a question about realm names. If we name our realms using the normal domain name approach, then the most specific part of the name comes first and the most general part comes last. For example, we might use a name like ROOM.BUILDING.SITE.COMPANY.GOV if we used the domain name convention. On the other hand, writing it the other way around seems more intuitive, perhaps because I am used to the way Unix files are named. In this case, I would use GOV.COMPANY.SITE.BUILDING.ROOM. The question is whether the arrangement of names matters from a technical point of view. That is, does Kerberos care whether domain names are compatible with realm names? And if it isn't an important issue now, will it become important in the future? What if I use Hesiod? Hesiod isn't an issue here. There's one routine in the Kerberos library which matters (krb_realmofhost). It looks in /etc/krb.realms to map a host name (which presumably is offering an authenticated service you wish to use) into a realm name. If the host is listed in krb.realms then the domain name just falls out of that (unlikely). Otherwise the domain part of the host may be used to map into a realm. If the domain part is listed in krb.realms the realm supplied in krb.realms is used, other just the domain name is used. You'll need to change krb_realmofhost and extend krb.realms if you want to deal with both kind of domain names. (Perhaps adding a simple type of wildcarding, i.e. GOV.COMPANY.SITE.BUILDING.* is in realm XXX instead of just .BUILDING.SITE.COMPANY.GOV means *.BUILDING.SITE.COMPANY.GOV maps to YYY) It doesn't seem that bad. -- Jon