[windows-hied]: Re: Multiple domain referral patch and Kerberos 1.31
Paul B. Hill
pbh at MIT.EDU
Wed Sep 24 10:31:12 EDT 2003
Perhaps a more accurate statement would be no one currently employed by MIT
or actively working on the MIT Kerberos code reviewed the patch.
The patch was indeed given to MIT by Microsoft. The patch was examined by
two people at MIT and was modified to work with the then current MIT
Kerberos release. MIT made the decision not to incorporate the patch because
the referral mechanism was not part of the RFC and MIT was/is viewed as the
reference implementation.
The patch was given to UMich because their domain design required its use
(MIT's domain design does not require its use). UMich is the redistribution
point for the patch in my opinion and I think they have periodically updated
it to remain compatible with the MIT distribution.
I believe that UMich and some other sites are using the patch in deployed
production systems.
Paul
-----Original Message-----
From: owner-windows-hied at lists.Stanford.EDU
[mailto:owner-windows-hied at lists.Stanford.EDU] On Behalf Of Ben Creech
Sent: Wednesday, September 24, 2003 10:08 AM
To: kerberos at mit.edu; windows-hied at lists.Stanford.EDU
Subject: [windows-hied]: Re: Multiple domain referral patch and Kerberos
1.31
>>>>>> "Ben" == Ben Creech <bpcreech at eos.ncsu.edu> writes:
>
> Ben> Is anyone using the patch to allow MIT KDCs to use
> Ben> Microsoft's trust referral mechanism with Kerberos 1.31? If
> Ben> so, do you have any comments on how well or poorly it works?
>
> No one at MIT has evaluated or looked at the patch.
>
Ok, now I'm confused as to who wrote the patch. From the previously linked
UMICH patch page:
"Here is the original patch we received from MIT (believed to be written by
Microsoft)"
So did someone at MIT just forward the patch without looking at it, or is
this statement incorrect? Perhaps you mean no one has looked at the patch
*recently*, eg, after UMICH's modifications, or for 1.31?
It does look like the patch was written by Microsoft, judging by the
(apparently) recent addition of the RealmFlags = 8 bit flag to Microsoft's
Kerberos settings. This setting is evidently used to indicate that a
non-Microsoft KDC is capable of MS-style transitive trusts - i.e., that it
has their referral patch.
-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==
This message was posted through the Stanford campus mailing list
server. If you wish to unsubscribe from this mailing list, send the
message body of "unsubscribe windows-hied" to majordomo at lists.stanford.edu
More information about the Kerberos
mailing list