Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...
Lara Adianto
m1r4cle_26 at yahoo.com
Wed Apr 7 23:23:57 EDT 2004
Hello,
Quoting from the paper of Michael Swift, Irina
Kosinovsky and Johathan Trostle titled Implementation
of Crossrealm Referral Handling in the MIT Kerberos
Client:
"The Windows 2000 client does not canonicalize names
at all, so the short name is sent to the KDC."
Hence, if my understanding is correct, a request for
service: host/service-name.foo.org will be sent to MIT
Kerberos KDC as host/service-name at KERBEROS.REALM and
not as host/service-name.foo.org at KERBEROS.REALM
How does MIT Kerberos determine the appropriate realm
to be used in issuing a referral ticket for the
client's request ? DNS ? Krb5.conf ? Does this mean
that every service-name must have an entry in the DNS
or Krb5.conf. For example:
serviceA = realmA
serviceB = realmB
Coz I think the KDC doesn't have any clue of the
domain of the service, only the service-name...
Thanks in advance,
-lara-
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway
http://promotions.yahoo.com/design_giveaway/
More information about the Kerberos
mailing list