Changes between Initial Version and Version 5 of Ticket #1384
- Timestamp:
- 12/28/14 21:53:13 (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #1384 – Description
initial v5 9 9 10 10 Here are a couple of approaches. For merely fully-qualifying a domain name: 11 * Active Directory solves this in a straightforward manner by issuing a domain-joined server a `host/machine@EXAMPLE.COM` key as well as a `host/machine.example.com@ MACHINE.EXAMPLE.COM` one. We could do that: I don't see a security issue in creating `host/linerva@ATHENA.MIT.EDU` etc. keytabs, but maybe I'm not thinking hard enough. This requires no client changes.11 * Active Directory solves this in a straightforward manner by issuing a domain-joined server a `host/machine@EXAMPLE.COM` key as well as a `host/machine.example.com@EXAMPLE.COM` one. We could do that: I don't see a security issue in creating `host/linerva@ATHENA.MIT.EDU` etc. keytabs, but maybe I'm not thinking hard enough. This requires no client changes. 12 12 * We can also have the Kerberos libraries process `/etc/resolv.conf`, which would let them know how unqualified names should be fully-qualified. 13 13
