jmsellens@WATDRAGON.WATERLOO.EDU ("John M. Sellens") (12/21/89)
(I'm not *positive* about the following, but I think it's the way things work.) The krb.h file defines KRB_MASTER, KRB_HOST and KRB_REALM. The latter two are used if the /etc/krb.conf file does not exist, and KRB_MASTER is used to find the master server (because the krb.conf file doesn't distinguish between servers). Since these are compiled in, you can't use the same binaries in different realms, and you can't use the same source either. I think this will be a major inconvenience for us if we install kerberos because we would have many realms, all hoping to have software support from the central software guys (i.e. me). (I'm pretty sure that we would have many realms, because we currently have many administrations, many different passwd files, many different areas of authority, and I think many realms would match best.) Additionally, all the realms can't use the hostname "kerberos" because most of them are (currently anyway) in the same IP domain (host.waterloo.edu). I think it's not too hard to get rid of KRB_REALM and KRB_HOST by having krb_get_lrealm() and krb_get_krbhst() return an error code (e.g. a new KDC_NO_REALM and KDC_NO_HOST). But it appears that KRB_MASTER is a little more entrenched, and requires a different krb.conf format (one that specifies which is the master) or a different way to indicate the master (another configuration file?). Is anyone looking at this problem? Am I completely off base? John Sellens University of Waterloo jmsellens@dragon.waterloo.edu
jtkohl@ATHENA.MIT.EDU (John T Kohl) (12/21/89)
John Sellens asks: I think it's not too hard to get rid of KRB_REALM and KRB_HOST by having krb_get_lrealm() and krb_get_krbhst() return an error code (e.g. a new KDC_NO_REALM and KDC_NO_HOST). But it appears that KRB_MASTER is a little more entrenched, and requires a different krb.conf format (one that specifies which is the master) or a different way to indicate the master (another configuration file?). There is a library routine, krb_get_admhst(), which already does what you suggest. The real (proper) use of KRB_MASTER is to help define what service name should be used for administrative functions (like changing passwords, etc); there was/is some confusion since the current installation/operation documents tell the SysAdmin to change KRB_MASTER. Revised documents do NOT ask the SysAdmin to change KRB_MASTER, so that it can be used for determining the proper service name, even for inter-realm administration work. krb_get_lrealm() returns a failure code if it can't find a realm name in the configuration file; however, many programs fall back to the built-in KRB_REALM if this call fails. krb_get_krbhst() also returns an error code if it can't find the nth server for the given realm. John