Kerberos dev project for review: domain_realm mapping via KDCreferral

Jeffrey Hutzelman jhutz at
Fri May 2 18:17:12 EDT 2008

--On Tuesday, April 29, 2008 10:22:23 PM -0400 Ken Raeburn 
<raeburn at> wrote:

> On Apr 29, 2008, at 17:25, Tim Alsop wrote:
>> Ok, thanks for explaining. I am now clear that this is an
>> implementation
>> of the draft. If this is the case, why didn't the design on the wiki
>> say
>> this so it is clear which draft version this is based on ?
> Because I've spent enough time myself dealing with the referrals draft
> that I thought it would be obvious to the whole world. :)  I'll put in
> a pointer to the draft.

And because you've spent enough time with people for whom "referrals" 
automatically expands to "draft-ietf-krb-wg-kerberos-referrals-NN.txt".

Incidentally, I think this is a generally good idea; eliminating 
domain_realm mappings from client configuration would be a major win.  I am 
a little concerned about the KDC being overzealous in issuing referrals, 
but I'm still thinking about what might be a reasonable set of rules to 
mitigate this without requiring excessive configuration.  Note that IMHO a 
feature which requires explicit configuration on every KDC is several 
orders of magnitude less painful than one which requires explicit 
configuration on every client.  So, I'm perfectly willing to accept a 
tradeoff in which one must configure an explicit list of services for which 
the KDC issues domain_realm based referrals in order to avoid having to 
configure domain_realm mapping on every client.

-- Jeff

More information about the krbdev mailing list