Changes between Initial Version and Version 5 of Ticket #1384


Ignore:
Timestamp:
12/28/14 21:53:13 (10 years ago)
Author:
andersk
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #1384 – Description

    initial v5  
    99 
    1010Here are a couple of approaches. For merely fully-qualifying a domain name: 
    11  * Active Directory solves this in a straightforward manner by issuing a domain-joined server a `host/machine@EXAMPLE.COM` key as well as a `host/machine.example.com@MACHINE.EXAMPLE.COM` one. We could do that: I don't see a security issue in creating `host/linerva@ATHENA.MIT.EDU` etc. keytabs, but maybe I'm not thinking hard enough. This requires no client changes. 
     11 * Active Directory solves this in a straightforward manner by issuing a domain-joined server a `host/machine@EXAMPLE.COM` key as well as a `host/machine.example.com@EXAMPLE.COM` one. We could do that: I don't see a security issue in creating `host/linerva@ATHENA.MIT.EDU` etc. keytabs, but maybe I'm not thinking hard enough. This requires no client changes. 
    1212 * We can also have the Kerberos libraries process `/etc/resolv.conf`, which would let them know how unqualified names should be fully-qualified. 
    1313