Re: Any workaround for [domain_realm] section
On Jul 29, 2008, at 08:49, Abhishek Chowdhury wrote:[color=blue]
> Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If
> I go
> through the method above then I have to enter the 400 entries
> separately for
> the services in AMIT.ABHI.COM. Also I cannot write abhi.com =
> or .abhi.com=AMIT.ABHI.COM because it is already used for AS.ABHI.COM.
> So is there any workaround for this problem.
> Changing of DNS name is also not possible.
> Any pointers in this regard will be very helpful.[/color]
If you can add TXT records for the hosts in AMIT, you could enable the
use of these TXT records on all the clients; it's a theoretical
security weakness, though, which is why it's off by default. The
admin or install guides should mention how to set these up, I think.
(Sorry, only have a few minutes right now.)
You could also set up some site-wide scheme for distributing updates
to the domain_realm section, but that's kind of ugly.
If you set KRB5_CONFIG to a colon-separated list of files, the krb5
library code will read all of them in. If you have some site-wide
shared file system, you could put a file there with the domain_realm
entries for your site, but obviously there are potential security and
performance issues there.
Eventually we want to have a way for the KDC to supply this
information, but while we've got a spec in the works, we don't have an