Kerberos dev project for review: domain_realm mapping via KDC referral

John Hascall john at
Tue Apr 29 14:16:12 EDT 2008

Ken Raeburn <raeburn at> writes:
> On Apr 28, 2008, at 19:01, Russ Allbery wrote:
> > I would prefer to be able to configure the list of services in a KDC
> > configuration file from early on rather than using a hard-coded list,
> > since we frequently run into host-based principals of types that  
> > software
> > isn't already familiar with.

> I definitely think it's desirable for a site to be able to define  
> their own.  I'm just concerned that the default list (presumably, the  
> same set as used by krb5_524_conv_principal) is going to be non- 
> trivial in size anyways, and do we want sites to be able to remove  
> entries relative to MIT's default settings, and/or replace the full  
> list?  That could be tricky without making the admin copy the default  
> list into the config file and start editing from there, and that's a  
> pretty ugly solution too.

PLEASE, no more evilness like the compiled in krb5_524_conv_principal
table (which we have ripped out and replaced with a config-file option
here since 1.0.5 BTW).

> .... Okay, how about this:
> [kdc]
>    host_based_services = foo bar
>    host_based_services = baz

As others have mentioned, I think it makes more sense to
treat */ as a "host_based_service" unless
there is a config-file option to turn it off.  Perhaps:

    no_host_referral = host ftp

(why you want to turn those two off escapes me, but go with it)
and perhaps even an option to just turn it off entirely:

    host_referral = no


More information about the krbdev mailing list