Kerberos dev project for review: domain_realm mapping via KDC referral
Russ Allbery
rra at stanford.edu
Mon Apr 28 21:38:40 EDT 2008
Ken Raeburn <raeburn at MIT.EDU> writes:
> On Apr 28, 2008, at 20:34, Russ Allbery wrote:
>> No, rather that just because the second component is foo.example.com,
>> don't assume that we should do referrals without verifying that the
>> first part of the name is really in the host_based_services list.
> Ah. So if the local admins don't know about (and configure) a remote
> service, the user doesn't get referred without making some special
> effort (like populating domain_realm on the client)? Even if NT-SRV-
> HST is used as the principal name type?
I'm a little concerned about handing out referrals for otherwise local
principals without explicit configuration, although it's just an unease
and I don't have a specific problem to identify. Although it occurs to me
that the referral bit has to be set, which may eliminate all of my concern
there.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list