referrals in 1.6
Nicolas Williams
Nicolas.Williams at Sun.COM
Tue Feb 27 10:34:01 EST 2007
On Tue, Feb 27, 2007 at 10:01:09AM -0500, Sam Hartman wrote:
> The question of what to do about extra TGS reqs is going to be the big
> one in whether MIT will accept various zeroconf proposals etc. I'm
> really concerned about the performance of KDC requests and DNS traffic
> especially on cell phone links.
>
> In the 1.7 planning call no one else expressed this concern,but in
> practice I'e found Kerberos is hard to use over a cell phone.
It sounds like you'd want a compile-time switch for default behaviour.
That's certainly reasonable. It's not yet clear that it would be
reasonable to exclude support for a configuration knob for selecting
service principal name/realm canonicalization methods.
> I think referrals are the best long-term choice we have for realm
> config at this point. It may be that before we can introduce anything
> else that significantly increases the number of KDC round trips we
> need to do a lot more caching.
More caching would certainly be good.
More information about the krbdev
mailing list