referrals in 1.6
Sam Hartman
hartmans at MIT.EDU
Mon Feb 26 12:25:02 EST 2007
>>>>> "Mark" == Mark Phalan <Mark.Phalan at Sun.COM> writes:
Mark> 1. Why is there no knob to disable referrals?
We'll consider adding one if there's really a need, but we could not
think of one, and it seemed like unnecessary configuration complexity.
Mark> 2. From the ticket (#2652) it mentions:
Mark> "- draft and actual microsoft implementation are divergent enough
Mark> that MS machines not usable for full testing"
Mark> Why are referrals enabled if AFAICS there are no KDC's which
Mark> support referrals in this form? Surely it just adds overhead with
Mark> little benefit.
This code works with the MS KDCs.
We believe it works with the draft too, but were unable to verify it.
The tip of the 1.6 branch does work with MS; there have been some bugs
fixed since 1.6 was released dealing with W2K servers.
Mark> 3. When the fallback path is taken in krb5_get_cred_from_kdc (i.e.
Mark> the server princ has "" for its realm) and a cred is returned
Mark> for that server (i.e. success) the original realm'less server
Mark> princ is returned.
Mark> z5# klist
Mark> Ticket cache: FILE:/tmp/krb5cc_0
Mark> Default principal: mark at Z5.ACME.COM
Mark> Valid starting Expires Service principal
Mark> 02/23/07 06:53:42 02/23/07 16:53:42 krbtgt/Z5.ACME.COM at Z5.ACME.COM
Mark> renew until 02/24/07 06:53:42
Mark> 02/23/07 06:55:18 02/23/07 16:53:42 krbtgt/ACME.COM at Z5.ACME.COM
Mark> renew until 02/24/07 06:53:42
Mark> 02/23/07 06:55:18 02/23/07 16:53:42 host/z4.acme.com@
Mark> renew until 02/24/07 06:53:42
Mark> ^^^^^^^^^^
Mark> No Realm.
Mark> Is this expected behaviour?
Yes. If you do anything else, you won't cache the resulting
principal.
--Sam
More information about the krbdev
mailing list