>>>>> "Steve" == Steve Langasek <[EMAIL PROTECTED]> writes:
Steve> Package: krb5-config Version: 1.17 Severity: minor Steve> The krb5-config package chooses a default value for the Steve> host's default realm based on the output of the Steve> dnsdomainname command. Steve> This is not always the correct value. Steve> <http://tools.ietf.org/id/draft-ietf-krb-wg-krb-dns-locate-02.txt>, Steve> which AIUI is the same draft that specifies the Kerberos Steve> SRV records, describes how to declare a Kerberos realm for Steve> a given domain name using a TXT record. Actually, no. That's a dead, expired draft. The SRV records are specified by RFC 4120. Steve> If such a text Steve> record is available that matches the hostname, would it be Steve> reasonable for krb5-config to use this value as a default Steve> instead of the dnsdomainname? I think so. Especially in something that was only executed once. Note that the default realm of a host doesn't really have to do so much with the domain realm mapping. The draft you cite is actually more discussing domain realm mapping although I do believe it tries to conflate in default realm. However assuming that default realm and domain realm mapping happen to work out to be the same is a good initial guess. Before MIt Kerberos 1.6 the default realm was reasonably unimportant from a security standpoint. However I'd want to redo the analysis because the referrals code may change this. Either way I think making that guess in krb5-config would be a fine idea. I'm not sure how to do that only with essential packages though. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]