referrals in 1.6

Mark Phalan Mark.Phalan at Sun.COM
Tue Feb 27 08:21:20 EST 2007 

On Mon, 2007-02-26 at 12:25 -0500, Sam Hartman wrote:
> >>>>> "Mark" == Mark Phalan <Mark.Phalan at Sun.COM> writes:
>     Mark> 1. Why is there no knob to disable referrals? 
> 
> We'll consider adding one if there's really a need, but we could not
> think of one, and it seemed like unnecessary configuration complexity.
> 

The need which would be addressed by this would be for situations where
it was known that referrals would not be used and one of the fall-back
mechanisms was being used (for e.g. DNS). The extra TGS-REQ in this case
could be avoided.
I agree that its a trade-off between configuration complexity and the
extra TGS-REQ. Certainly referrals should be enabled by default.


>     Mark> 2. From the ticket (#2652) it mentions:
>     Mark>    "- draft and actual microsoft implementation are divergent enough
>     Mark>       that MS machines not usable for full testing"
>     Mark>    Why are referrals enabled if AFAICS there are no KDC's which
>     Mark>    support referrals in this form? Surely it just adds overhead with
>     Mark>    little benefit.
> 
> This code works with the MS KDCs.
> We believe it works with the draft too, but were unable to verify it.
> 

Ah, so I misunderstood the comment.

> The tip of the 1.6 branch does work with MS; there have been some bugs
> fixed since 1.6 was released dealing with W2K servers.
> 

I'll see if I can find them.

>     Mark> 3. When the fallback path is taken in krb5_get_cred_from_kdc (i.e.
>     Mark>    the server princ has "" for its realm) and a cred is returned 
>     Mark>    for that server (i.e. success) the original realm'less server
>     Mark>    princ is returned.
> 
>     Mark> z5# klist
>     Mark> Ticket cache: FILE:/tmp/krb5cc_0
>     Mark> Default principal: mark at Z5.ACME.COM
> 
>     Mark> Valid starting     Expires            Service principal
>     Mark> 02/23/07 06:53:42  02/23/07 16:53:42  krbtgt/Z5.ACME.COM at Z5.ACME.COM
>     Mark>         renew until 02/24/07 06:53:42
>     Mark> 02/23/07 06:55:18  02/23/07 16:53:42  krbtgt/ACME.COM at Z5.ACME.COM
>     Mark>         renew until 02/24/07 06:53:42
>     Mark> 02/23/07 06:55:18  02/23/07 16:53:42  host/z4.acme.com@
>     Mark>         renew until 02/24/07 06:53:42
>     Mark>                                                        ^^^^^^^^^^
>     Mark>                                                        No Realm.
>     Mark> Is this expected behaviour?
> 
> 
> Yes.  If you do anything else, you won't cache the resulting
> principal.
> 

Ok, makes sense. It is however slightly confusing when referrals are NOT
used.

Thanks,

-Mark

> --Sam
>

More information about the krbdev mailing list