Kerberos dev project for review: domain_realm mapping via KDC referral

Jeffrey Hutzelman jhutz at
Fri May 2 18:24:24 EDT 2008

--On Tuesday, April 29, 2008 09:37:21 AM -0700 "Henry B. Hotz" 
<hotz at> wrote:

> Since "host-based" is the normal situation

That's a big assumption.  But it probably holds when the requested service 
principal name type is NT-SRV-HST.  IMHO, this form of referrals should 
probably apply only when the principal name is of that type or of type 
NT-SRV-HST-DOMAIN (in which case you need to apply domain_realm mapping to 
the _third_ component, not the second).

It should not be applied when the requested name type is NT-UNKNOWN, 
perhaps unless the first component is found in a list of services for which 
such mapping should be done.

> shouldn't the list be the exclusions?

And yes, there should probably be a list of first components for which 
domain_realm based referrals are not issued even if the requested name type 
is NT-SRV-HST and the second component looks like a domain name.

-- Jeff

More information about the krbdev mailing list