>>>>> "David" == David Magda <david.ma...@oicr.on.ca> writes:
David> Why are all of these domains in the default install of
David> Debian? There are even bugs (621875, 587624) for updating
David> people's domains: why?!
It's generally useful to have the domain-realm entries and if the realm
doesn't have SRV records it's generally useful to have the realms entry.
It allows a Debian user to kinit and use services in one of these realms
more easily.
It also makes it easier to guess the default realm of a system.
You ask to have these realms removed.
My question is what harm is done by having them there?
The default configuration also enables SRV lookups, so when the Kerberos
library encounters a realm that it doesn't know about it will already
try and use it.
Also, note that being in krb5.conf generally doesn't imply trust in a
realm. Knowing about a realm doesn't mean you trust it to do anything.
There are some routing decisions that are effected when you have
credentials in a realm that has a cross-realm trust with another realm
and your local krb5.conf has domain-realms sections pointing to that
other realm. These routing decisions do sometimes impact trust, but
again, only if you have a cross-realm trust established in the first
place.
Based on the description of your configuration I don't see trust or
other impact to the default krb5.conf.
What harm do you see?
