Kerberos dev project for review: domain_realm mapping via KDC referral
Ken Raeburn
raeburn at MIT.EDU
Thu May 8 12:18:10 EDT 2008
I've made some edits on the wiki page, but there's a point that still
seems up in the air:
On May 2, 2008, at 18:24, Jeffrey Hutzelman wrote:
> --On Tuesday, April 29, 2008 09:37:21 AM -0700 "Henry B. Hotz"
> <hotz at jpl.nasa.gov> wrote:
>> Since "host-based" is the normal situation
>
> That's a big assumption. But it probably holds when the requested
> service
> principal name type is NT-SRV-HST. IMHO, this form of referrals
> should
> probably apply only when the principal name is of that type or of type
> NT-SRV-HST-DOMAIN (in which case you need to apply domain_realm
> mapping to
> the _third_ component, not the second).
>
> It should not be applied when the requested name type is NT-UNKNOWN,
> perhaps unless the first component is found in a list of services
> for which
> such mapping should be done.
>
>> shouldn't the list be the exclusions?
>
> And yes, there should probably be a list of first components for which
> domain_realm based referrals are not issued even if the requested
> name type
> is NT-SRV-HST and the second component looks like a domain name.
Having to configure both a *positive* list to apply to NT-UNKNOWN and
a *negative* list to apply to NT-SRV-HST seems like a lot. Can we
actually rely on the name type being set consistently enough by
clients that we could restrict this behavior to the NT-SRV-HST case?
(We don't have NT-SRV-HST-DOMAIN support yet.) I'm pretty sure we're
not doing any logging of anything that would help us figure out if
it's consistently used.
Ken
More information about the krbdev
mailing list