Question about draft-ietf-krb-wg-kerberos-referrals

Tim Alsop Tim.Alsop at CyberSafe.Com
Thu Jan 3 10:10:51 EST 2008 

Jeffrey,

It was the use of the words "in the request" and "canonicalize" in the
same sentence that made me think otherwise. I guess I didn't read it
properly :-(

Anyway, thankyou for confirming what it is supposed to mean.

So, is it true to say that the referral draft is specific to MS Windows
clients ? I was/am under the impression that a referral is something
which was required when ksetup was first implemented in initial Windows
2000 releases, and then in a service pack, changes were made to Windows
so that cross realm referrals are used instead of anything which is MS
specific. Is this correct understanding ?

Cheers,
Tim

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] 
Sent: 03 January 2008 14:56
To: Tim Alsop
Cc: krbdev at mit.edu
Subject: Re: Question about draft-ietf-krb-wg-kerberos-referrals

I interpret that as saying, if the 'canonicalize KDC option" is
set and the KDC does not recognize the requested name, then the KDC will
attempt to canonicalize the name using an external name service.

I do not see anything in that text that indicates that it is a test for
whose brand client it is.

Jeffrey Altman


Tim Alsop wrote:
> Oops...
> 
> The URL in my email (see below) was wrong. It should have been 
> 
> http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-04
> 
> Thanks,
> Tim
> 
> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf
> Of Tim Alsop
> Sent: 03 January 2008 12:48
> To: krbdev at mit.edu
> Subject: Question about draft-ietf-krb-wg-kerberos-referrals
> 
> I wondered if somebody could give me some advice on the referrals
draft
> ?
> 
>  
> 
> In
http://archives.postgresql.org/pgsql-interfaces/2002-09/msg00046.php
> in section 5 (client referrals) it mentions checking if the canonical
> flag is set - see below:
> 
>  
> 
>    If the account is not present in the realm specified in the request
>    and the "canonicalize" KDC option is set, the KDC will try to
lookup
>    the entire name, alice at MS.COM, using a name service. If this lookup
>    is unsuccessful, it MUST return the error
KDC_ERR_C_PRINCIPAL_UNKNOWN
>    [3].
> 
>  
> 
> I assume this check is to determine if the Kerberos client is
Microsoft
> Windows ? If so, I am aware of at least 2 Kerberos clients running on
> UNIX or Linux which are able to send the canonical flag in a request,
so
> surely using this flag to determine if the client is Microsoft is not
a
> good idea ?
> 
>  
> 
> I look forward to any feedback on this ?
> 
>  
> 
> Thanks,
> 
> Tim
> 
>  
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list