Turbo Fredriksson wrote:
> Quoting "Douglas E. Engert" <[EMAIL PROTECTED]>: > > >>The kadmin/[EMAIL PROTECTED] should be kadmin/[EMAIL PROTECTED] >>i.e. host names in Kerberos are always FQDN. > > > Just for completeness, my extream curiosity etc. Why EXACTLY is that. If the > DNS works perfectly (both forward and reverse), then it should be possible to > NOT have the FQDN... ? DNS is not secure, so you need to have the client, server and KDC agree on a convention on what represents a service principal. The <service>/<FQDN>@<REALM> is the common convention used. The kadmin service expects FQDNs. > And why not use IP's (other than if the IP change, the > key is invalid)? You could, but that is not the usual convention. The use of the FQDN also allows a user to specify the name which is somewhat representative of a service, where as an IP is not. For example one should look close at a URL to see that it is using some FQDN that is somehow associated with the site. I don't trust URLs with IP numbers. The same goes for Kerberos principals. > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
