Kerberos dev project for review: domain_realm mapping via KDC referral

Ken Raeburn raeburn at MIT.EDU
Thu May 8 12:18:10 EDT 2008

I've made some edits on the wiki page, but there's a point that still  
seems up in the air:

On May 2, 2008, at 18:24, Jeffrey Hutzelman wrote:
> --On Tuesday, April 29, 2008 09:37:21 AM -0700 "Henry B. Hotz"
> <hotz at> wrote:
>> Since "host-based" is the normal situation
> That's a big assumption.  But it probably holds when the requested  
> service
> principal name type is NT-SRV-HST.  IMHO, this form of referrals  
> should
> probably apply only when the principal name is of that type or of type
> NT-SRV-HST-DOMAIN (in which case you need to apply domain_realm  
> mapping to
> the _third_ component, not the second).
> It should not be applied when the requested name type is NT-UNKNOWN,
> perhaps unless the first component is found in a list of services  
> for which
> such mapping should be done.
>> shouldn't the list be the exclusions?
> And yes, there should probably be a list of first components for which
> domain_realm based referrals are not issued even if the requested  
> name type
> is NT-SRV-HST and the second component looks like a domain name.

Having to configure both a *positive* list to apply to NT-UNKNOWN and  
a *negative* list to apply to NT-SRV-HST seems like a lot.  Can we  
actually rely on the name type being set consistently enough by  
clients that we could restrict this behavior to the NT-SRV-HST case?   
(We don't have NT-SRV-HST-DOMAIN support yet.)  I'm pretty sure we're  
not doing any logging of anything that would help us figure out if  
it's consistently used.


More information about the krbdev mailing list