Kerberos dev project for review: domain_realm mapping via KDCreferral
Tim Alsop
Tim.Alsop at CyberSafe.Com
Tue Apr 29 17:25:10 EDT 2008
Ken,
Ok, thanks for explaining. I am now clear that this is an implementation
of the draft. If this is the case, why didn't the design on the wiki say
this so it is clear which draft version this is based on ?
Thanks,
Tim
-----Original Message-----
From: Ken Raeburn [mailto:raeburn at MIT.EDU]
Sent: 29 April 2008 21:55
To: Tim Alsop
Cc: John Hascall; MIT Kerberos Dev List
Subject: Re: Kerberos dev project for review: domain_realm mapping via
KDCreferral
On Apr 29, 2008, at 16:08, Tim Alsop wrote:
> Surely the MIT clients will need changes so that they send the TGS
> request with referral flag set, and don't look in their local
> domain_realm configuration ?
Already released. If the domain_realm mapping doesn't indicate a
specific realm for the host in question, a referral is requested.
> So, if this is "limited form", what happens when KDCs are deployed
> with
> this functionality and the customer wants to use some client code to
> take advantage of this functionality ?
It should "just work". Okay, well, the client code needs to not
specify a realm, or explicitly specify the "referral realm", to get
our library to actually request a referral, but "whatever you need to
do to request a referral" should work. And, for this round, it only
works in TGS exchanges, not AS exchanges. (There are some issues that
require a bit more work to support that case securely.)
> Sorry for so many questions, but I am trying to understand why this
> differs from the normal project work which takes place within IETF
> working group, when working on a draft for a new feature.
The protocol work is already happening at the IETF. This is just an
implementation project.
Ken
More information about the krbdev
mailing list