Kerberos dev project for review: domain_realm mapping via KDC referral

[Ken Raeburn]

On May 9, 2008, at 14:13, Jeffrey Hutzelman wrote:
> So for those reasons, I think it's necessary to either have a  
> positive list to apply to NT-UNKNOWN or else apply the same logic  
> for NT-UNKNOWN that is used for NT-SRV-HST.  Either way, I believe  
> it's essential to be able to override that policy by being able to  
> provide a negative list and/or turn off the feature entirely  
> (preferably both).

Without explicitly deciding that name types are going to be important  
parts of the request (and outside of the NT-ENTERPRISE proposal, I  
don't think they are particularly, but maybe that's enough), I think  
I'd be more comfortable keeping the logic the same, or more similar,  
at least for now.

Having a separate flag to turn it off altogether sounds okay -- but  
I'm curious why people think it's needed.

If we assume (and I'm not sure it's valid) that the reason to suppress  
this handling based on first-component strings is to permit the admin  
to identify the service names that are not actually host-based names,  
then one could make an argument for always doing the processing for NT- 
SRV-HST without exception, and using heuristics (including the  
positive or negative first-component list in the config file) to  
figure out if an NT-UNKNOWN name is really host-based.  Does that  
sound reasonable, or are there other reasons to suppress referral  
processing for a specific service name that really is host-based?

Ken