One DNS domain - three realms ?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

One DNS domain - three realms ?

Manel Euro
Hello,

I have the following problem:

My company has the following situation:

We have one large DNS domain sgi.nl and we are planning on creating three
realms:

SGI.NL
A.SGI.NL
B.SGI.NL

When configuraing my kerberos clientes there is a [domains_realm] tab where
should put my  domains to realm maps.

Can I have more than one REALM mapped to a single DNS domain??


Regards,

M.

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: One DNS domain - three realms ?

Kenneth G Raeburn
On Jun 6, 2005, at 06:42, Manel Euro wrote:

> My company has the following situation:
>
> We have one large DNS domain sgi.nl and we are planning on creating
> three realms:
>
> SGI.NL
> A.SGI.NL
> B.SGI.NL
>
> When configuraing my kerberos clientes there is a [domains_realm] tab
> where should put my  domains to realm maps.

Yes, this is where the mapping goes.  But if machines in one DNS domain
are being mapped to three realms, you're going to have to list each
machine individually instead of simply mapping the entire domain:

   [domain_realm]
       host1.sgi.nl = SGL.NL
       host2.sgi.nl = A.SGI.NL
       host3.sgi.nl = B.SGI.NL

Or, rather, you could make one realm the default and just list all of
the machine in the other realms:

   [domain_realm]
       .sgi.nl = SGI.NL
       host2.sgi.nl = A.SGI.NL
       host3.sgi.nl = B.SGI.NL

Either way, this will be a bit of a headache if/when you add new
machines not in the default realm, as you'll need to update all the
config files.

There is also an option "dns_lookup_realm" in the "libdefaults" section
of the config file which, if turned on, will cause a DNS TXT record
_kerberos.<FQDN> to be checked and, if it's found, the result used as
the realm name for the host <FQDN>.  However, this option is turned off
by default as it introduces a security risk.

Ken

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Security risk with '_kerberos.FQDN'? (Was: One DNS domain - three realms ?)

Turbo Fredriksson-3
Quoting Ken Raeburn <[hidden email]>:

> There is also an option "dns_lookup_realm" in the "libdefaults"
> section of the config file which, if turned on, will cause a DNS TXT
> record _kerberos.<FQDN> to be checked and, if it's found, the result
> used as the realm name for the host <FQDN>.  However, this option is
> turned off by default as it introduces a security risk.

Could you please elaborate or point me to a page that explains this?
I've never heard of it before (I haven't been paying attention to
this list for the last couple of months :).

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos