| commit | decd8f4102d68629f2a78ab96605990e4b90f25e | |
| author | Nicolas Williams <nico@twosigma.com> | |
| Thu, 7 Oct 2021 03:06:46 +0000 (6 22:06 -0500) | ||
| committer | Nicolas Williams <nico@twosigma.com> | |
| Mon, 11 Oct 2021 18:58:15 +0000 (11 13:58 -0500) | ||
| tree | e24bbf6f0cbca6833234fcb6b7bb0141addda208 | treesnapshot (tar.gz zip) |
| parent | a703bd1212f97eee0ecb75215e008741653ac53b | commitdiff |
hdb: Support referrals via aliases
The TGS will issue referrals based on [domain_realm] mappings.
With this change the TGS will also issue referrals based on HDB entry
aliases.
The TGS needed no changes for this, only support in lib/hdb was missing.
All we had to do was return HDB_ERR_WRONG_REALM from hdb_fetch_kvno()
when the given principal is an alias and its canonical name's realm is
different from the alias'.
This feature is important because the KDC currently does not re-read
krb5.conf and must be restarted for changes to e.g., [domain_realm]
mappings to take effect. As well, making krb5.conf changes to all the
KDCs for a realm would need to be arranged. But with aliases in the
HDB, these problems go away.
Relatedly, we should really have an option to store the KDC's entire
configuration in the HDB...
Futures:
- Add support for aliasing of entire namespaces via HDB aliases with
WELLKNOWN namespace name forms. This will round out domain-to-realm
mapping configuration support via HDB.
The TGS will issue referrals based on [domain_realm] mappings.
With this change the TGS will also issue referrals based on HDB entry
aliases.
The TGS needed no changes for this, only support in lib/hdb was missing.
All we had to do was return HDB_ERR_WRONG_REALM from hdb_fetch_kvno()
when the given principal is an alias and its canonical name's realm is
different from the alias'.
This feature is important because the KDC currently does not re-read
krb5.conf and must be restarted for changes to e.g., [domain_realm]
mappings to take effect. As well, making krb5.conf changes to all the
KDCs for a realm would need to be arranged. But with aliases in the
HDB, these problems go away.
Relatedly, we should really have an option to store the KDC's entire
configuration in the HDB...
Futures:
- Add support for aliasing of entire namespaces via HDB aliases with
WELLKNOWN namespace name forms. This will round out domain-to-realm
mapping configuration support via HDB.
| lib/hdb/common.c | diffblobblamehistory |