Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...

Lara Adianto m1r4cle_26 at yahoo.com
Wed Apr 7 23:23:57 EDT 2004


Hello,

Quoting from the paper of Michael Swift, Irina
Kosinovsky and Johathan Trostle titled Implementation
of Crossrealm Referral Handling in the MIT Kerberos
Client:

"The Windows 2000 client does not canonicalize names
at all, so the short name is sent to the KDC." 

Hence, if my understanding is correct, a request for
service: host/service-name.foo.org will be sent to MIT
Kerberos KDC as host/service-name at KERBEROS.REALM and
not as host/service-name.foo.org at KERBEROS.REALM 
 
How does MIT Kerberos determine the appropriate realm
to be used in issuing a referral ticket for the
client's request ? DNS ? Krb5.conf ? Does this mean
that every service-name must have an entry in the DNS
or Krb5.conf. For example:
serviceA = realmA
serviceB = realmB
Coz I think the KDC doesn't have any clue of the
domain of the service, only the service-name...

Thanks in advance,
-lara-

=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/


More information about the Kerberos mailing list