referrals in 1.6
Mark Phalan
Mark.Phalan at Sun.COM
Tue Feb 27 09:59:58 EST 2007
On Tue, 2007-02-27 at 09:08 -0500, Jeffrey Altman wrote:
> Mark Phalan wrote:
>
> >> Mark> 3. When the fallback path is taken in krb5_get_cred_from_kdc (i.e.
> >> Mark> the server princ has "" for its realm) and a cred is returned
> >> Mark> for that server (i.e. success) the original realm'less server
> >> Mark> princ is returned.
> >>
> >> Mark> z5# klist
> >> Mark> Ticket cache: FILE:/tmp/krb5cc_0
> >> Mark> Default principal: mark at Z5.ACME.COM
> >>
> >> Mark> Valid starting Expires Service principal
> >> Mark> 02/23/07 06:53:42 02/23/07 16:53:42 krbtgt/Z5.ACME.COM at Z5.ACME.COM
> >> Mark> renew until 02/24/07 06:53:42
> >> Mark> 02/23/07 06:55:18 02/23/07 16:53:42 krbtgt/ACME.COM at Z5.ACME.COM
> >> Mark> renew until 02/24/07 06:53:42
> >> Mark> 02/23/07 06:55:18 02/23/07 16:53:42 host/z4.acme.com@
> >> Mark> renew until 02/24/07 06:53:42
> >> Mark> ^^^^^^^^^^
> >> Mark> No Realm.
> >> Mark> Is this expected behaviour?
> >>
> >>
> >> Yes. If you do anything else, you won't cache the resulting
> >> principal.
> >>
> >
> > Ok, makes sense. It is however slightly confusing when referrals are NOT
> > used.
>
> Would it have been less confusing if the name of the service principal were:
>
> host/z4.acme.com at RESERVED:KDC-REFERRAL:
>
Yes, perhaps something like that. It seems to me to be non-intuitive for
the user to know that principals with an empty realm imply the use of
referrals.
-Mark
> Jeffrey Altman
> Secure Endpoints Inc.
More information about the krbdev
mailing list