Kerberos dev project for review: domain_realm mapping via KDC referral
Ken Raeburn
raeburn at MIT.EDU
Thu Jul 3 16:24:31 EDT 2008
I've updated the project proposal at http://k5wiki.kerberos.org/wiki/Projects/domain_realm_referrals
based on the discussions in May, and think it's ready for a new
review; the review period runs through July 17. Please have a new look.
The purpose of the project: Eliminate the need for the domain_realm
mapping table on the client side, in the common case, by implementing
minimal referral support in the KDC and providing the mapping
information to clients through that protocol.
Highlights of the new version:
NT-UNKNOWN only gets referral processing if the service is listed in
the config file under "host_based_services" (multiple lines of
whitespace- or comma-separated names), and the principal name
otherwise looks like a host-based principal name. NT-SRV-HST defaults
to getting the referral processing.
Config file entry "no_host_referral" lists services for which referral
processing won't be done, regardless of name type; overrides
host_based_services.
In both cases, the special service name "*" matches anything.
No special explicit entry for enabling or disabling referral
processing overall. It's on by default, and for the (hopefully few)
sites that explicitly never want it, "no_host_referral=*" should do
the trick. Also, no way to turn it off even for all NT-SRV-HST
principals but then enable it for a few exceptions; if you want that,
you can start working on a plugin interface. :-)
No compiled-in default host-based service name list; even host/fqdn
won't get referral processing when NT-UNKNOWN. I'm happy to change
that, but would object to using a list that's not in sync with the
table for krb5/krb4 principal name conversion, until such time as we
get rid of that code. (Also known as, "I'll believe we're getting rid
of it when I see it." :-)
--
Ken Raeburn, Senior Programmer
MIT Kerberos Consortium
More information about the krbdev
mailing list