Kerberos dev project for review: domain_realm mapping via KDCreferral
Tim Alsop
Tim.Alsop at CyberSafe.Com
Tue Apr 29 16:08:08 EDT 2008
Ken,
Surely the MIT clients will need changes so that they send the TGS
request with referral flag set, and don't look in their local
domain_realm configuration ?
So, if this is "limited form", what happens when KDCs are deployed with
this functionality and the customer wants to use some client code to
take advantage of this functionality ?
Sorry for so many questions, but I am trying to understand why this
differs from the normal project work which takes place within IETF
working group, when working on a draft for a new feature.
Regards,
Tim
-----Original Message-----
From: Ken Raeburn [mailto:raeburn at MIT.EDU]
Sent: 29 April 2008 21:04
To: Tim Alsop
Cc: John Hascall; MIT Kerberos Dev List
Subject: Re: Kerberos dev project for review: domain_realm mapping via
KDCreferral
On Apr 29, 2008, at 15:45, Tim Alsop wrote:
> I am wondering why this feature not being described in an IETF
> draft, so
> that other non-MIT clients can be interoperable with MIT KDC and other
> KDCs can have this feature added to be interoperable with MIT
> clients ?
This is an implementation of a limited form of the KDC-side support
for the referrals draft. Limited, in that its only source of data is
the domain_realm mapping so it can't differentiate by individual
principal names or service names, it'll only work in TGS exchanges, it
doesn't support referrals that tell the client to look up a different
server name, etc. But it should handle some of the most common cases,
and works to simplify client-side configuration (in the MIT
implementation).
Ken
More information about the krbdev
mailing list