referrals and canonicalization
Isaac Boukris
iboukris at gmail.com
Thu Feb 27 14:23:59 EST 2020
On Thu, Feb 27, 2020 at 8:03 PM Ben Gooley <bgooley at cloudera.com> wrote:
>
> Hello everyone,
>
> Java just decided to support Kerberos referrals and canonicalization and it
> is turned on by default.
> This brings up a question about implementation in MIT Kerberos:
>
> Does MIT Kerberos support referrals by default or must canonicalization be
> turned on in order to handle referrals?
Can you be more specific, what use case exactly do you have in mind.
Roughly, I think in MIT, both client and KDC won't do referrals if the
canonicalize flag was not set on the request, but it is often set
automatically.
BTW, I my opinion, we shouldn't care about the canonicalize flag for
referrals. Windows doesn't seem to really care either (they'll return
both client and server referrals, even with the flag off), I think MS
just abused this flag in RFC 6806 as a generic excuse flag whenever
they deviated from RFC 4120 (while they only use the flag for
canoicalization purposes).
More information about the Kerberos
mailing list