Kerberos dev project for review: domain_realm mapping via KDCreferral

Ken Raeburn raeburn at MIT.EDU
Tue Apr 29 16:54:30 EDT 2008

On Apr 29, 2008, at 16:08, Tim Alsop wrote:
> Surely the MIT clients will need changes so that they send the TGS
> request with referral flag set, and don't look in their local
> domain_realm configuration ?

Already released.  If the domain_realm mapping doesn't indicate a  
specific realm for the host in question, a referral is requested.

> So, if this is "limited form", what happens when KDCs are deployed  
> with
> this functionality and the customer wants to use some client code to
> take advantage of this functionality ?

It should "just work".  Okay, well, the client code needs to not  
specify a realm, or explicitly specify the "referral realm", to get  
our library to actually request a referral, but "whatever you need to  
do to request a referral" should work.  And, for this round, it only  
works in TGS exchanges, not AS exchanges.  (There are some issues that  
require a bit more work to support that case securely.)

> Sorry for so many questions, but I am trying to understand why this
> differs from the normal project work which takes place within IETF
> working group, when working on a draft for a new feature.

The protocol work is already happening at the IETF.  This is just an  
implementation project.


More information about the krbdev mailing list