Kerberos dev project for review: domain_realm mapping via KDC referral
raeburn at MIT.EDU
Thu May 8 12:18:10 EDT 2008
I've made some edits on the wiki page, but there's a point that still
seems up in the air:
On May 2, 2008, at 18:24, Jeffrey Hutzelman wrote:
> --On Tuesday, April 29, 2008 09:37:21 AM -0700 "Henry B. Hotz"
> <hotz at jpl.nasa.gov> wrote:
>> Since "host-based" is the normal situation
> That's a big assumption. But it probably holds when the requested
> principal name type is NT-SRV-HST. IMHO, this form of referrals
> probably apply only when the principal name is of that type or of type
> NT-SRV-HST-DOMAIN (in which case you need to apply domain_realm
> mapping to
> the _third_ component, not the second).
> It should not be applied when the requested name type is NT-UNKNOWN,
> perhaps unless the first component is found in a list of services
> for which
> such mapping should be done.
>> shouldn't the list be the exclusions?
> And yes, there should probably be a list of first components for which
> domain_realm based referrals are not issued even if the requested
> name type
> is NT-SRV-HST and the second component looks like a domain name.
Having to configure both a *positive* list to apply to NT-UNKNOWN and
a *negative* list to apply to NT-SRV-HST seems like a lot. Can we
actually rely on the name type being set consistently enough by
clients that we could restrict this behavior to the NT-SRV-HST case?
(We don't have NT-SRV-HST-DOMAIN support yet.) I'm pretty sure we're
not doing any logging of anything that would help us figure out if
it's consistently used.
More information about the krbdev