Problems with TGS referral ...
Tom Yu
tlyu at MIT.EDU
Tue May 4 16:53:40 EDT 2010
"Richard E. Silverman" <res at qoxp.net> writes:
> The MIT code also requires that the principal type in the request be
> NT-HST-SRV in order for it to automatically issue referrals; Windows,
> however, sets the type to NT-HST-SRV. The logic is this (comments taken
I think you mean NT-SRV-INST.
> Given this, I had to patch the code to get it working, but it does work.
> Also, you have to code the host->realm mappings for hosts you want
> referrals on into krb5.conf; it doesn't seem to use the DNS for this
> (_kerberos TXT RR's). You'd have to be careful with that anyway; it would
> be very easy to get referral loops, given that the Windows and Unix views
> of realm membership don't match up.
This should be fixed in krb5-1.8.1. See RT ticket #6685:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6685
More information about the Kerberos
mailing list