Kerberos dev project for review: domain_realm mapping via KDC referral

Jeffrey Hutzelman jhutz at
Fri May 9 14:13:07 EDT 2008

--On Thursday, May 08, 2008 12:18:10 PM -0400 Ken Raeburn <raeburn at> 

> Having to configure both a *positive* list to apply to NT-UNKNOWN and
> a *negative* list to apply to NT-SRV-HST seems like a lot.  Can we
> actually rely on the name type being set consistently enough by
> clients that we could restrict this behavior to the NT-SRV-HST case?
> (We don't have NT-SRV-HST-DOMAIN support yet.)  I'm pretty sure we're
> not doing any logging of anything that would help us figure out if
> it's consistently used.

Well, in the ideal situation, you don't _have_ to configure either.  But in 
practice, no, I don't believe we can count on clients setting the name type 
to NT-SRV-HST in all cases where they should.  I'm pretty sure there exist 
clients which always use NT-UNKNOWN.  Then there is the fact that RFC1964 
doesn't actually require that krb5-gss implementations use NT-SRV-HST when 
constructing principals for GSS_C_NT_HOSTBASED_SERVICE names.  And, there 
are probably applications which use GSS_KRB5_NT_PRINCIPAL_NAME even for 
host-based service names (in some cases, this is almost unavoidable, 
because interfaces for allowing a user to specify a principal name rarely 
provide a way to specify a name type).

So for those reasons, I think it's necessary to either have a positive list 
to apply to NT-UNKNOWN or else apply the same logic for NT-UNKNOWN that is 
used for NT-SRV-HST.  Either way, I believe it's essential to be able to 
override that policy by being able to provide a negative list and/or turn 
off the feature entirely (preferably both).

-- Jeff

More information about the krbdev mailing list