Null realms and servers

Nicolas Williams Nicolas.Williams at
Sun Dec 17 23:15:21 EST 2006

On Sat, Dec 16, 2006 at 10:08:11AM -0500, Jeffrey Altman wrote:
> Nicolas Williams wrote:
> > On Fri, Dec 15, 2006 at 09:27:16PM -0500, Sam Hartman wrote:
> >>>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:
> >>     Nicolas> Just a few days ago I discussed with Sam an alternative
> >>     Nicolas> fallback host2realm resolution that Solaris will likely
> >>     Nicolas> soon sport:
> >>
> >>
> >> Right.  I said at the time I was not thrilled by this strategy, but
> >> didn't see a problem.  Note that I still see no problem with this
> >> strategy for client side mapping to realms.
> > 
> > And how is krb5_sname_to_principal() to know that it's being called
> > client-side vs. server-side?
> Its not supposed to know.  The reason for the NULL realm being returned
> by krb5_sname_to_principal is for client applications that currently
> call it to be given a principal name in return that triggers the use
> of Kerberos referrals without requiring that all the applications in
> the world be re-written.

There are other ways to achieve this effect.

When the krb5_prompter turned out to be too simple MIT resorted to using
the krb5_context to pass additional information between the krb5_gic API
and the application.

IMO the same approach could and should be used here to enable this feature
backwards compatibly.


More information about the krbdev mailing list