Skip Menu |
 

Subject: need realm identification at service level
For some uncommon(?) configurations like running a single service on a machine in one
realm, while other services on the machine are in a different realm, we should have a
mechanism for identifying the realm of a single service, perhaps as an extension to the
domain-realm mapping in the config file.

Doing this with KDC-based referrals shouldn't be hard, when we get there, but I suspect in
the majority of cases it'll be done for testing or short-lived services for which the
administrative hassle or delay in updating the (production) KDC with the new service makes it
a poor choice; that would presumably be the case for adding referral data too. In such cases,
though, we really don't need a solution that scales up well, and tweaking the config file is
probably adequate.