Kerberos dev project for review: domain_realm mapping via KDC referral

Ken Raeburn raeburn at MIT.EDU
Thu Jul 3 16:24:31 EDT 2008

I've updated the project proposal at 
  based on the discussions in May, and think it's ready for a new  
review; the review period runs through July 17.  Please have a new look.

The purpose of the project:  Eliminate the need for the domain_realm  
mapping table on the client side, in the common case, by implementing  
minimal referral support in the KDC and providing the mapping  
information to clients through that protocol.

Highlights of the new version:

NT-UNKNOWN only gets referral processing if the service is listed in  
the config file under "host_based_services" (multiple lines of  
whitespace- or comma-separated names), and the principal name  
otherwise looks like a host-based principal name.  NT-SRV-HST defaults  
to getting the referral processing.

Config file entry "no_host_referral" lists services for which referral  
processing won't be done, regardless of name type; overrides  

In both cases, the special service name "*" matches anything.

No special explicit entry for enabling or disabling referral  
processing overall.  It's on by default, and for the (hopefully few)  
sites that explicitly never want it, "no_host_referral=*" should do  
the trick.  Also, no way to turn it off even for all NT-SRV-HST  
principals but then enable it for a few exceptions; if you want that,  
you can start working on a plugin interface. :-)

No compiled-in default host-based service name list; even host/fqdn  
won't get referral processing when NT-UNKNOWN.  I'm happy to change  
that, but would object to using a list that's not in sync with the  
table for krb5/krb4 principal name conversion, until such time as we  
get rid of that code.  (Also known as, "I'll believe we're getting rid  
of it when I see it." :-)

Ken Raeburn, Senior Programmer
MIT Kerberos Consortium

More information about the krbdev mailing list