On Sat, 30 Dec 2000, Dr A V Le Blanc wrote:
> On Fri, Dec 29, 2000 at 12:03:18PM -0500, Ken Hornstein wrote:
> >>No. The realm is specified in a config file on the client. Current
> >>thinking here is don't even bother making it match the DNS domain.
> >
> > Puh-LEASE be careful when you say this. The _only_ person I ever knew
> > who ran a V5 realm with AFS that didn't match his domain name regretted
> > it for a long time.
>
> We had two problems here:
>
> We had three DNS names in the original cell. Thus at least some
> machines could not match realm and DNS domain no matter which realm
> we chose.
>
> We were told when we set up the cell (1990 or 1991) that the
> DNS names would all be changing. So we chose a realm name that
> matched one of the 3 new DNS names. Alas, the change never took
> place.
>
> It is doable. But you must get the K5 configs right.
What are all the problems, Ken? If you do a krb5.conf file on your
clients with a domain_realm section to map your DNS domain name to the
Kerberos realm name, doesn't that essentially address any issues? Or are
there some quirks in the software that don't check the domain_realm
entries for everything?
I'm in the same boat - the DNS names will be changing, the only question
is when, but I need to build the Kerberos realm now.
-Michael Pelletier.
