>>>>> "Steve" == Steve Langasek <[EMAIL PROTECTED]> writes:
Steve> Package: krb5-config Version: 1.17 Severity: minor
Steve> The krb5-config package chooses a default value for the
Steve> host's default realm based on the output of the
Steve> dnsdomainname command.
Steve> This is not always the correct value.
Steve> <http://tools.ietf.org/id/draft-ietf-krb-wg-krb-dns-locate-02.txt>,
Steve> which AIUI is the same draft that specifies the Kerberos
Steve> SRV records, describes how to declare a Kerberos realm for
Steve> a given domain name using a TXT record.
Actually, no. That's a dead, expired draft. The SRV records are
specified by RFC 4120.
Steve> If such a text
Steve> record is available that matches the hostname, would it be
Steve> reasonable for krb5-config to use this value as a default
Steve> instead of the dnsdomainname?
I think so. Especially in something that was only executed once.
Note that the default realm of a host doesn't really have to do so
much with the domain realm mapping. The draft you cite is actually
more discussing domain realm mapping although I do believe it tries to
conflate in default realm. However assuming that default realm and
domain realm mapping happen to work out to be the same is a good
initial guess.
Before MIt Kerberos 1.6 the default realm was reasonably unimportant
from a security standpoint. However I'd want to redo the analysis
because the referrals code may change this. Either way I think making
that guess in krb5-config would be a fine idea.
I'm not sure how to do that only with essential packages though.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
