1 Mapping hostnames onto Kerberos realms is done in one of two ways.
3 The first mechanism, which has been in use for years in MIT-based
4 Kerberos distributions, works through a set of rules in
5 the @code{krb5.conf} configuration file. (@xref{krb5.conf}.) You can
6 specify mappings for an entire domain or subdomain, and/or on a
7 hostname-by-hostname basis. Since greater specificity takes precedence,
8 you would do this by specifying the mappings for a given domain or
9 subdomain and listing the exceptions.
11 The second mechanism works by looking up the information in special
12 @code{TXT} records in the Domain Name Service. This is currently not
13 used by default because security holes could result if the DNS TXT
14 records were spoofed. If this mechanism is enabled on the client,
15 it will try to look up a @code{TXT} record for the DNS name formed by
16 putting the prefix @code{_kerberos} in front of the hostname in question.
17 If that record is not found, it will try using @code{_kerberos} and the
18 host's domain name, then its parent domain, and so forth. So for the
19 hostname BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
22 _kerberos.boston.engineering.foobar.com
23 _kerberos.engineering.foobar.com
28 The value of the first TXT record found is taken as the realm name.
29 (Obviously, this doesn't work all that well if a host and a subdomain
30 have the same name, and different realms. For example, if all the hosts
31 in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM
32 realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in
33 another realm. In that case, you would set up TXT records for all
34 hosts, rather than relying on the fallback to the domain name.)
36 Even if you do not choose to use this mechanism within your site, you
37 may wish to set it up anyway, for use when interacting with other sites.
projects / krb5.git / blob