referrals in 1.6

Mark Phalan Mark.Phalan at Sun.COM
Tue Feb 27 08:21:20 EST 2007

On Mon, 2007-02-26 at 12:25 -0500, Sam Hartman wrote:
> >>>>> "Mark" == Mark Phalan <Mark.Phalan at Sun.COM> writes:
>     Mark> 1. Why is there no knob to disable referrals? 
> We'll consider adding one if there's really a need, but we could not
> think of one, and it seemed like unnecessary configuration complexity.

The need which would be addressed by this would be for situations where
it was known that referrals would not be used and one of the fall-back
mechanisms was being used (for e.g. DNS). The extra TGS-REQ in this case
could be avoided.
I agree that its a trade-off between configuration complexity and the
extra TGS-REQ. Certainly referrals should be enabled by default.

>     Mark> 2. From the ticket (#2652) it mentions:
>     Mark>    "- draft and actual microsoft implementation are divergent enough
>     Mark>       that MS machines not usable for full testing"
>     Mark>    Why are referrals enabled if AFAICS there are no KDC's which
>     Mark>    support referrals in this form? Surely it just adds overhead with
>     Mark>    little benefit.
> This code works with the MS KDCs.
> We believe it works with the draft too, but were unable to verify it.

Ah, so I misunderstood the comment.

> The tip of the 1.6 branch does work with MS; there have been some bugs
> fixed since 1.6 was released dealing with W2K servers.

I'll see if I can find them.

>     Mark> 3. When the fallback path is taken in krb5_get_cred_from_kdc (i.e.
>     Mark>    the server princ has "" for its realm) and a cred is returned 
>     Mark>    for that server (i.e. success) the original realm'less server
>     Mark>    princ is returned.
>     Mark> z5# klist
>     Mark> Ticket cache: FILE:/tmp/krb5cc_0
>     Mark> Default principal: mark at Z5.ACME.COM
>     Mark> Valid starting     Expires            Service principal
>     Mark> 02/23/07 06:53:42  02/23/07 16:53:42  krbtgt/Z5.ACME.COM at Z5.ACME.COM
>     Mark>         renew until 02/24/07 06:53:42
>     Mark> 02/23/07 06:55:18  02/23/07 16:53:42  krbtgt/ACME.COM at Z5.ACME.COM
>     Mark>         renew until 02/24/07 06:53:42
>     Mark> 02/23/07 06:55:18  02/23/07 16:53:42  host/
>     Mark>         renew until 02/24/07 06:53:42
>     Mark>                                                        ^^^^^^^^^^
>     Mark>                                                        No Realm.
>     Mark> Is this expected behaviour?
> Yes.  If you do anything else, you won't cache the resulting
> principal.

Ok, makes sense. It is however slightly confusing when referrals are NOT



> --Sam

More information about the krbdev mailing list