Multiple domain referral patch and Kerberos 1.31
Ben Creech
bpcreech at eos.ncsu.edu
Wed Sep 24 10:07:52 EDT 2003
>>>>>> "Ben" == Ben Creech <bpcreech at eos.ncsu.edu> writes:
>
> Ben> Is anyone using the patch to allow MIT KDCs to use
> Ben> Microsoft's trust referral mechanism with Kerberos 1.31? If
> Ben> so, do you have any comments on how well or poorly it works?
>
> No one at MIT has evaluated or looked at the patch.
>
Ok, now I'm confused as to who wrote the patch. From the previously linked
UMICH patch page:
"Here is the original patch we received from MIT (believed to be written by
Microsoft)"
So did someone at MIT just forward the patch without looking at it, or is
this statement incorrect? Perhaps you mean no one has looked at the patch
*recently*, eg, after UMICH's modifications, or for 1.31?
It does look like the patch was written by Microsoft, judging by the
(apparently) recent addition of the RealmFlags = 8 bit flag to Microsoft's
Kerberos settings. This setting is evidently used to indicate that a
non-Microsoft KDC is capable of MS-style transitive trusts - i.e., that it
has their referral patch.
More information about the Kerberos
mailing list