Kerberos dev project for review: domain_realm mapping via KDC referral

Russ Allbery rra at
Mon Apr 28 21:38:40 EDT 2008

Ken Raeburn <raeburn at MIT.EDU> writes:
> On Apr 28, 2008, at 20:34, Russ Allbery wrote:

>> No, rather that just because the second component is,
>> don't assume that we should do referrals without verifying that the
>> first part of the name is really in the host_based_services list.

> Ah.  So if the local admins don't know about (and configure) a remote
> service, the user doesn't get referred without making some special
> effort (like populating domain_realm on the client)?  Even if NT-SRV-
> HST is used as the principal name type?

I'm a little concerned about handing out referrals for otherwise local
principals without explicit configuration, although it's just an unease
and I don't have a specific problem to identify.  Although it occurs to me
that the referral bit has to be set, which may eliminate all of my concern

Russ Allbery (rra at             <>

More information about the krbdev mailing list