Question about draft-ietf-krb-wg-kerberos-referrals

Jeffrey Altman jaltman at secure-endpoints.com
Thu Jan 3 09:55:45 EST 2008 

I interpret that as saying, if the 'canonicalize KDC option" is
set and the KDC does not recognize the requested name, then the KDC will
attempt to canonicalize the name using an external name service.

I do not see anything in that text that indicates that it is a test for
whose brand client it is.

Jeffrey Altman


Tim Alsop wrote:
> Oops...
> 
> The URL in my email (see below) was wrong. It should have been 
> 
> http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-04
> 
> Thanks,
> Tim
> 
> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf
> Of Tim Alsop
> Sent: 03 January 2008 12:48
> To: krbdev at mit.edu
> Subject: Question about draft-ietf-krb-wg-kerberos-referrals
> 
> I wondered if somebody could give me some advice on the referrals draft
> ?
> 
>  
> 
> In http://archives.postgresql.org/pgsql-interfaces/2002-09/msg00046.php
> in section 5 (client referrals) it mentions checking if the canonical
> flag is set - see below:
> 
>  
> 
>    If the account is not present in the realm specified in the request
>    and the "canonicalize" KDC option is set, the KDC will try to lookup
>    the entire name, alice at MS.COM, using a name service. If this lookup
>    is unsuccessful, it MUST return the error KDC_ERR_C_PRINCIPAL_UNKNOWN
>    [3].
> 
>  
> 
> I assume this check is to determine if the Kerberos client is Microsoft
> Windows ? If so, I am aware of at least 2 Kerberos clients running on
> UNIX or Linux which are able to send the canonical flag in a request, so
> surely using this flag to determine if the client is Microsoft is not a
> good idea ?
> 
>  
> 
> I look forward to any feedback on this ?
> 
>  
> 
> Thanks,
> 
> Tim
> 
>  
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20080103/2085b497/attachment.bin

More information about the krbdev mailing list