support for KDC referrals in the MIT KRB5 code
JC Ferguson
jc at acopia.com
Wed Nov 29 11:44:49 EST 2006
Hi, what version of the MIT KRB5 library code has support for the KDC
referrals internet draft, i.e.,
http://ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-08.
txt ? If it isn't supported yet, is it on a roadmap for future
consideration?
The current realm walk code is unable to deal with cases when the realm
fqdn's are not hierarchical, i.e.:
foo.com
bar.foo.com
beans.foo.com
soap.org
shampoo.soap.org
If these realms are all within one trust (i.e., a Microsoft Active
Directory forest with full bi-directional trusts), the realm walk code
does not appear to be able to obtain the correct TGTs for obtaining a
service ticket to a server in shampoo.soap.org for a client in
bar.foo.com.
It appears the internet-draft above would resolve this problem by
following the chain of referral tickets returned rather than brute-force
decomposition of the fqdn names.
thank you,
jc
More information about the krbdev
mailing list