diff options
| author | Nicolas Williams <nico@cryptonector.com> | 2021-05-13 00:43:26 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2024-05-13 12:47:47 -0400 |
| commit | d035119c3b2b402f3ad49a4c7b6264826ea923bb (patch) | |
| tree | d11952914a3be3f3971062bc0faf0949b1fe229f /doc | |
| parent | 6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a (diff) | |
| download | krb5-d035119c3b2b402f3ad49a4c7b6264826ea923bb.zip krb5-d035119c3b2b402f3ad49a4c7b6264826ea923bb.tar.gz krb5-d035119c3b2b402f3ad49a4c7b6264826ea923bb.tar.bz2 | |
Support site-local KDC discovery via DNS
Add the sitename realm variable. If set, service location via DNS
will be attempted using the site name as specified in [MS-ADTS]
6.3.2.3, falling back to regular discovery on failure.
[ghudson@mit.edu: made this strictly a realm variable; moved
k5_get_sitename() to locate_kdc.c and made it take a krb5_data input;
fixed a memory leak; corrected documentation changes; fleshed out
commit message]
ticket: 9124 (new)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 4 | ||||
| -rw-r--r-- | doc/admin/realm_config.rst | 10 |
2 files changed, 14 insertions, 0 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index ab73a69..2a45b1e 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -551,6 +551,10 @@ following tags may be specified in the realm's subsection: the updated database has not been propagated to the replica servers yet. New in release 1.19. +**sitename** + Specifies the name of the host's site for the purpose of DNS-based + KDC discovery for this realm. New in release 1.22. + **v4_instance_convert** This subsection allows the administrator to configure exceptions to the **default_domain** mapping rule. It contains V4 instances diff --git a/doc/admin/realm_config.rst b/doc/admin/realm_config.rst index 35e4857..d0ed6f0 100644 --- a/doc/admin/realm_config.rst +++ b/doc/admin/realm_config.rst @@ -195,6 +195,13 @@ using the **kdc**, **master_kdc**, **admin_server**, and explicit server locations, providing SRV records will still benefit unconfigured clients, and be useful for other sites. +Clients can be configured with the **sitename** realm variable (new in +release 1.22). If a site name is set, the client first attempts SRV +record lookups with ".*sitename*._sites" inserted after the service +and protocol name and before the Kerberos realm. Site-specific +records may indicate servers more proximal to the client, allowing for +faster access. + .. _kdc_discovery: @@ -243,6 +250,9 @@ URI lookups are enabled by default, and can be disabled by setting precedence over SRV lookups, falling back to SRV lookups if no URI records are found. +The **sitename** variable in the :ref:`realms` section of +:ref:`krb5.conf(5)` applies to URI lookups as well as SRV lookups. + .. _db_prop: |