Kerberos dev project for review: domain_realm mapping via KDCreferral
Ken Raeburn
raeburn at MIT.EDU
Tue Apr 29 16:54:30 EDT 2008
On Apr 29, 2008, at 16:08, Tim Alsop wrote:
> Surely the MIT clients will need changes so that they send the TGS
> request with referral flag set, and don't look in their local
> domain_realm configuration ?
Already released. If the domain_realm mapping doesn't indicate a
specific realm for the host in question, a referral is requested.
> So, if this is "limited form", what happens when KDCs are deployed
> with
> this functionality and the customer wants to use some client code to
> take advantage of this functionality ?
It should "just work". Okay, well, the client code needs to not
specify a realm, or explicitly specify the "referral realm", to get
our library to actually request a referral, but "whatever you need to
do to request a referral" should work. And, for this round, it only
works in TGS exchanges, not AS exchanges. (There are some issues that
require a bit more work to support that case securely.)
> Sorry for so many questions, but I am trying to understand why this
> differs from the normal project work which takes place within IETF
> working group, when working on a draft for a new feature.
The protocol work is already happening at the IETF. This is just an
implementation project.
Ken
More information about the krbdev
mailing list