Kerberos dev project for review: domain_realm mapping via KDC referral
jhutz at cmu.edu
Fri May 2 18:24:24 EDT 2008
--On Tuesday, April 29, 2008 09:37:21 AM -0700 "Henry B. Hotz"
<hotz at jpl.nasa.gov> wrote:
> Since "host-based" is the normal situation
That's a big assumption. But it probably holds when the requested service
principal name type is NT-SRV-HST. IMHO, this form of referrals should
probably apply only when the principal name is of that type or of type
NT-SRV-HST-DOMAIN (in which case you need to apply domain_realm mapping to
the _third_ component, not the second).
It should not be applied when the requested name type is NT-UNKNOWN,
perhaps unless the first component is found in a list of services for which
such mapping should be done.
> shouldn't the list be the exclusions?
And yes, there should probably be a list of first components for which
domain_realm based referrals are not issued even if the requested name type
is NT-SRV-HST and the second component looks like a domain name.
More information about the krbdev