referrals in 1.6
Sam Hartman
hartmans at MIT.EDU
Tue Feb 27 11:29:31 EST 2007
>>>>> "Mark" == Mark Phalan <Mark.Phalan at Sun.COM> writes:
Mark> On Tue, 2007-02-27 at 09:08 -0500, Jeffrey Altman wrote:
>> Mark Phalan wrote:
>>
>> >> Mark> 3. When the fallback path is taken in krb5_get_cred_from_kdc (i.e.
>> >> Mark> the server princ has "" for its realm) and a cred is returned
>> >> Mark> for that server (i.e. success) the original realm'less server
>> >> Mark> princ is returned.
>> >>
>> >> Mark> z5# klist
>> >> Mark> Ticket cache: FILE:/tmp/krb5cc_0
>> >> Mark> Default principal: mark at Z5.ACME.COM
>> >>
>> >> Mark> Valid starting Expires Service principal
>> >> Mark> 02/23/07 06:53:42 02/23/07 16:53:42 krbtgt/Z5.ACME.COM at Z5.ACME.COM
>> >> Mark> renew until 02/24/07 06:53:42
>> >> Mark> 02/23/07 06:55:18 02/23/07 16:53:42 krbtgt/ACME.COM at Z5.ACME.COM
>> >> Mark> renew until 02/24/07 06:53:42
>> >> Mark> 02/23/07 06:55:18 02/23/07 16:53:42 host/z4.acme.com@
>> >> Mark> renew until 02/24/07 06:53:42
>> >> Mark> ^^^^^^^^^^
>> >> Mark> No Realm.
>> >> Mark> Is this expected behaviour?
>> >>
>> >>
>> >> Yes. If you do anything else, you won't cache the resulting
>> >> principal.
>> >>
>> >
>> > Ok, makes sense. It is however slightly confusing when referrals are NOT
>> > used.
>>
>> Would it have been less confusing if the name of the service principal were:
>>
>> host/z4.acme.com at RESERVED:KDC-REFERRAL:
>>
Mark> Yes, perhaps something like that. It seems to me to be non-intuitive for
Mark> the user to know that principals with an empty realm imply the use of
Mark> referrals.
They don't.
You can get other cases where the canonicalized realm is not the same as the initial realm.
An empty realm simply implies that you start with the client principal kdc.
--Sam
More information about the krbdev
mailing list