On 05/14/2018 07:30 AM, Paul Robert Marino wrote:
> In modern implementations no in fact you shouldn't instead you should use the 
> DNS for all of these settings and at most use the default realm and possibly 
> the domain to realm matching section.
> In most implementations of Kerberos the ability to set this local is 
> deprecated or not avaliable at all amy more. Even in MIT's implementation it 
> is slated to go away in a few versions so it is generally considered a bad 
> idea to use it. Also the testers of the client libraries are mostly testing 
> around DNS so you may run into issues if you use that section of the 
> configuration.

Speaking as the primary maintainer of MIT krb5, we have no plans to get
rid of [realms] -> realmname -> kdc, and to my knowledge we never had
any such plans.  Our continuous integration tests use it, and many
client machines at MIT specify [realms] -> ATHENA.MIT.EDU -> kdc values.
 I don't see anything in our documentation discouraging its use.

Also, I'm not sure this answer is responsive to the original question,
which was about the KDC.  As to that question, I am not super familiar
with the Heimdal code, but looking at kdc/connect.c:configure() and
lib/krb5/get_addrs.c:krb5_get_all_server_addrs(), it doesn't look like
the KDC uses [realms] -> realmname -> kdc.  Instead, it looks like it
uses [kdc] -> addresses and [kdc] -> ports; if those don't exist, it
enumerates interface addresses and uses a list of standard ports (port
88 and maybe port 80 and 9878 depending on whether the KDC is also
serving HTTP and kx509).

Reply via email to