referrals in 1.6

Fri Feb 23 10:31:01 EST 2007

Hi,

First a little background ...

Sun is working on a better client zero-conf domain -> realm mapping
for Kerberos.  The zero-conf stuff is fallback which basically
walks the domain name of the host and tries to locate a KDC for
that part of the domain name. Nico has talked about this already
- see the thread "Null realms and servers".

With krb5-1.6, referrals were introduced which changes where the
fallback happens - instead of being done as part of 
krb5_sname_to_princ() it is done in krb5_get_cred_from_kdc().

I've been integrating the referrals changes into our source tree
and have a few questions:

1. Why is there no knob to disable referrals? 
2. From the ticket (#2652) it mentions:
   "- draft and actual microsoft implementation are divergent enough
      that MS machines not usable for full testing"
   Why are referrals enabled if AFAICS there are no KDC's which
   support referrals in this form? Surely it just adds overhead with
   little benefit.
3. When the fallback path is taken in krb5_get_cred_from_kdc (i.e.
   the server princ has "" for its realm) and a cred is returned 
   for that server (i.e. success) the original realm'less server
   princ is returned.

z5# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mark at Z5.ACME.COM

Valid starting     Expires            Service principal
02/23/07 06:53:42  02/23/07 16:53:42  krbtgt/Z5.ACME.COM at Z5.ACME.COM
        renew until 02/24/07 06:53:42
02/23/07 06:55:18  02/23/07 16:53:42  krbtgt/ACME.COM at Z5.ACME.COM
        renew until 02/24/07 06:53:42
02/23/07 06:55:18  02/23/07 16:53:42  host/z4.acme.com@
        renew until 02/24/07 06:53:42
                                                       ^^^^^^^^^^
                                                       No Realm.
Is this expected behaviour?

Thanks,

-Mark