Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...

[Kevin Coffman]

We needed this referral support in our environment (using an MIT KDC 
for initial authentication to Windows).  We started with a patch 
reported to have originated at Microsoft.  It simply sent all referrals 
off to a domain specified in krb5.conf.  We needed to support two 
Windows forests so we added code to use the service name to determine 
the correct destination for the referral.  Our patch uses a new 
'domain_referral' stanza in the krb5.conf file.

This left the problem of short names, which give no clue as to which 
domain the referral should go.  We punted on this issue. In the case of 
a short name, we send the referral to the "default" domain.  In our 
case, the default domain is our production forest, rather than our test 
forest.  I haven't heard of any complaints.  An alternative would be to 
have another mapping of short names to referral domain.

See http://www.citi.umich.edu/u/kwc/krb5stuff/referrals.html for more 
info.
  
K.C.

> Hello,
> 
> Quoting from the paper of Michael Swift, Irina
> Kosinovsky and Johathan Trostle titled Implementation
> of Crossrealm Referral Handling in the MIT Kerberos
> Client:
> 
> "The Windows 2000 client does not canonicalize names
> at all, so the short name is sent to the KDC." 
> 
> Hence, if my understanding is correct, a request for
> service: host/service-name.foo.org will be sent to MIT
> Kerberos KDC as host/service-name at KERBEROS.REALM and
> not as host/service-name.foo.org at KERBEROS.REALM 
>  
> How does MIT Kerberos determine the appropriate realm
> to be used in issuing a referral ticket for the
> client's request ? DNS ? Krb5.conf ? Does this mean
> that every service-name must have an entry in the DNS
> or Krb5.conf. For example:
> serviceA = realmA
> serviceB = realmB
> Coz I think the KDC doesn't have any clue of the
> domain of the service, only the service-name...
> 
> Thanks in advance,
> -lara-
> 
> =====