Kerberos dev project for review: domain_realm mapping via KDCreferral
Jeffrey Hutzelman
jhutz at cmu.edu
Fri May 2 18:17:12 EDT 2008
--On Tuesday, April 29, 2008 10:22:23 PM -0400 Ken Raeburn
<raeburn at mit.edu> wrote:
> On Apr 29, 2008, at 17:25, Tim Alsop wrote:
>> Ok, thanks for explaining. I am now clear that this is an
>> implementation
>> of the draft. If this is the case, why didn't the design on the wiki
>> say
>> this so it is clear which draft version this is based on ?
>
> Because I've spent enough time myself dealing with the referrals draft
> that I thought it would be obvious to the whole world. :) I'll put in
> a pointer to the draft.
And because you've spent enough time with people for whom "referrals"
automatically expands to "draft-ietf-krb-wg-kerberos-referrals-NN.txt".
Incidentally, I think this is a generally good idea; eliminating
domain_realm mappings from client configuration would be a major win. I am
a little concerned about the KDC being overzealous in issuing referrals,
but I'm still thinking about what might be a reasonable set of rules to
mitigate this without requiring excessive configuration. Note that IMHO a
feature which requires explicit configuration on every KDC is several
orders of magnitude less painful than one which requires explicit
configuration on every client. So, I'm perfectly willing to accept a
tradeoff in which one must configure an explicit list of services for which
the KDC issues domain_realm based referrals in order to avoid having to
configure domain_realm mapping on every client.
-- Jeff
More information about the krbdev
mailing list