Path: utzoo!utgpu!watserv1!watmath!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!samsung!cs.utexas.edu!sun-barr!lll-winken!unixhub!shelby!MIT.EDU!jon From: jon@MIT.EDU (Jon A. Rochlis) Newsgroups: comp.protocols.kerberos Subject: Re: Realm name conventions Message-ID: <9012061817.AA04199@delwin.MIT.EDU> Date: 6 Dec 90 18:17:32 GMT References: <9011191655.AA28847@snll-arpagw.llnl.gov> Sender: news@shelby.stanford.edu (USENET News System) Organization: Internet-USENET Gateway at Stanford University Lines: 32 I have a question about realm names. If we name our realms using the normal domain name approach, then the most specific part of the name comes first and the most general part comes last. For example, we might use a name like ROOM.BUILDING.SITE.COMPANY.GOV if we used the domain name convention. On the other hand, writing it the other way around seems more intuitive, perhaps because I am used to the way Unix files are named. In this case, I would use GOV.COMPANY.SITE.BUILDING.ROOM. The question is whether the arrangement of names matters from a technical point of view. That is, does Kerberos care whether domain names are compatible with realm names? And if it isn't an important issue now, will it become important in the future? What if I use Hesiod? Hesiod isn't an issue here. There's one routine in the Kerberos library which matters (krb_realmofhost). It looks in /etc/krb.realms to map a host name (which presumably is offering an authenticated service you wish to use) into a realm name. If the host is listed in krb.realms then the domain name just falls out of that (unlikely). Otherwise the domain part of the host may be used to map into a realm. If the domain part is listed in krb.realms the realm supplied in krb.realms is used, other just the domain name is used. You'll need to change krb_realmofhost and extend krb.realms if you want to deal with both kind of domain names. (Perhaps adding a simple type of wildcarding, i.e. GOV.COMPANY.SITE.BUILDING.* is in realm XXX instead of just .BUILDING.SITE.COMPANY.GOV means *.BUILDING.SITE.COMPANY.GOV maps to YYY) It doesn't seem that bad. -- Jon Brought to you by Super Global Mega Corp .com