Kerberos dev project for review: domain_realm mapping via KDC referral
jhutz at cmu.edu
Fri May 9 14:13:07 EDT 2008
--On Thursday, May 08, 2008 12:18:10 PM -0400 Ken Raeburn <raeburn at mit.edu>
> Having to configure both a *positive* list to apply to NT-UNKNOWN and
> a *negative* list to apply to NT-SRV-HST seems like a lot. Can we
> actually rely on the name type being set consistently enough by
> clients that we could restrict this behavior to the NT-SRV-HST case?
> (We don't have NT-SRV-HST-DOMAIN support yet.) I'm pretty sure we're
> not doing any logging of anything that would help us figure out if
> it's consistently used.
Well, in the ideal situation, you don't _have_ to configure either. But in
practice, no, I don't believe we can count on clients setting the name type
to NT-SRV-HST in all cases where they should. I'm pretty sure there exist
clients which always use NT-UNKNOWN. Then there is the fact that RFC1964
doesn't actually require that krb5-gss implementations use NT-SRV-HST when
constructing principals for GSS_C_NT_HOSTBASED_SERVICE names. And, there
are probably applications which use GSS_KRB5_NT_PRINCIPAL_NAME even for
host-based service names (in some cases, this is almost unavoidable,
because interfaces for allowing a user to specify a principal name rarely
provide a way to specify a name type).
So for those reasons, I think it's necessary to either have a positive list
to apply to NT-UNKNOWN or else apply the same logic for NT-UNKNOWN that is
used for NT-SRV-HST. Either way, I believe it's essential to be able to
override that policy by being able to provide a negative list and/or turn
off the feature entirely (preferably both).
More information about the krbdev