Microsoft Referral Code for Clients

Wachdorf, Daniel R drwachd at
Wed Jul 9 15:19:14 EDT 2003

I am looking into implementing the MS referral code for clients. The server
side referral code already exists in a patch available from the University
of Michigan.  The client code would allow clients to be ignorant of all
trust relationships.  The would then just ask the local kdc for all service
principals.  The kdc depending on the domain name of the service principal
will return a cross-realm tgt to the next server in the referral path, as
determined by the config file.

I have found that I can change the function krb5_get_cred_from_kdc_opt
function to do the following:
- copy the in_cred structure (the principal in_cred->server will be
service_principal at localrealm all service principals are considered in the
local realm)
- get a local tgt
- call krb5_get_cred_via_tkt given the local tgt and in_cred
- if I receive a service ticket I am done. If not, then I will receive a
cross realm tgt.  Change the realm of copy in_cred->server to be the foreign
of the returned tgt.
- call krb5_get_cred_via_tkt again.  Repeat until I have the service ticket.

The problem I have realized is that the principal in_cred->service will be
service_principal at localrealm and the principal out_cred->service will be
service_principal at foreignrealm.   Does this matter?  GSSAPI doesn't seem to
care.  Do developers who use the native Kerberos code usually make sure that
in_cred->server matches out_cred->server ?

Daniel Wachdorf
drwachd at
Sandia National Laboratories
System Security Research and Integration

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the krbdev mailing list