Null realms and servers
Nicolas.Williams at sun.com
Sun Dec 17 23:15:21 EST 2006
On Sat, Dec 16, 2006 at 10:08:11AM -0500, Jeffrey Altman wrote:
> Nicolas Williams wrote:
> > On Fri, Dec 15, 2006 at 09:27:16PM -0500, Sam Hartman wrote:
> >>>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
> >> Nicolas> Just a few days ago I discussed with Sam an alternative
> >> Nicolas> fallback host2realm resolution that Solaris will likely
> >> Nicolas> soon sport:
> >> Right. I said at the time I was not thrilled by this strategy, but
> >> didn't see a problem. Note that I still see no problem with this
> >> strategy for client side mapping to realms.
> > And how is krb5_sname_to_principal() to know that it's being called
> > client-side vs. server-side?
> Its not supposed to know. The reason for the NULL realm being returned
> by krb5_sname_to_principal is for client applications that currently
> call it to be given a principal name in return that triggers the use
> of Kerberos referrals without requiring that all the applications in
> the world be re-written.
There are other ways to achieve this effect.
When the krb5_prompter turned out to be too simple MIT resorted to using
the krb5_context to pass additional information between the krb5_gic API
and the application.
IMO the same approach could and should be used here to enable this feature
More information about the krbdev