Kerberos dev project for review: domain_realm mapping via KDCreferral

Tim Alsop Tim.Alsop at CyberSafe.Com
Tue Apr 29 16:08:08 EDT 2008


Surely the MIT clients will need changes so that they send the TGS
request with referral flag set, and don't look in their local
domain_realm configuration ?

So, if this is "limited form", what happens when KDCs are deployed with
this functionality and the customer wants to use some client code to
take advantage of this functionality ?

Sorry for so many questions, but I am trying to understand why this
differs from the normal project work which takes place within IETF
working group, when working on a draft for a new feature.


-----Original Message-----
From: Ken Raeburn [mailto:raeburn at MIT.EDU] 
Sent: 29 April 2008 21:04
To: Tim Alsop
Cc: John Hascall; MIT Kerberos Dev List
Subject: Re: Kerberos dev project for review: domain_realm mapping via

On Apr 29, 2008, at 15:45, Tim Alsop wrote:
> I am wondering why this feature not being described in an IETF  
> draft, so
> that other non-MIT clients can be interoperable with MIT KDC and other
> KDCs can have this feature added to be interoperable with MIT  
> clients ?

This is an implementation of a limited form of the KDC-side support  
for the referrals draft.  Limited, in that its only source of data is  
the domain_realm mapping so it can't differentiate by individual  
principal names or service names, it'll only work in TGS exchanges, it  
doesn't support referrals that tell the client to look up a different  
server name, etc.  But it should handle some of the most common cases,  
and works to simplify client-side configuration (in the MIT  


More information about the krbdev mailing list