Kerberos dev project for review: domain_realm mapping via KDCreferral

Tim Alsop Tim.Alsop at CyberSafe.Com
Tue Apr 29 17:25:10 EDT 2008


Ok, thanks for explaining. I am now clear that this is an implementation
of the draft. If this is the case, why didn't the design on the wiki say
this so it is clear which draft version this is based on ?


-----Original Message-----
From: Ken Raeburn [mailto:raeburn at MIT.EDU] 
Sent: 29 April 2008 21:55
To: Tim Alsop
Cc: John Hascall; MIT Kerberos Dev List
Subject: Re: Kerberos dev project for review: domain_realm mapping via

On Apr 29, 2008, at 16:08, Tim Alsop wrote:
> Surely the MIT clients will need changes so that they send the TGS
> request with referral flag set, and don't look in their local
> domain_realm configuration ?

Already released.  If the domain_realm mapping doesn't indicate a  
specific realm for the host in question, a referral is requested.

> So, if this is "limited form", what happens when KDCs are deployed  
> with
> this functionality and the customer wants to use some client code to
> take advantage of this functionality ?

It should "just work".  Okay, well, the client code needs to not  
specify a realm, or explicitly specify the "referral realm", to get  
our library to actually request a referral, but "whatever you need to  
do to request a referral" should work.  And, for this round, it only  
works in TGS exchanges, not AS exchanges.  (There are some issues that  
require a bit more work to support that case securely.)

> Sorry for so many questions, but I am trying to understand why this
> differs from the normal project work which takes place within IETF
> working group, when working on a draft for a new feature.

The protocol work is already happening at the IETF.  This is just an  
implementation project.


More information about the krbdev mailing list