Kerberos dev project for review: domain_realm mapping via KDC referral
raeburn at MIT.EDU
Fri May 9 15:26:18 EDT 2008
On May 9, 2008, at 14:13, Jeffrey Hutzelman wrote:
> So for those reasons, I think it's necessary to either have a
> positive list to apply to NT-UNKNOWN or else apply the same logic
> for NT-UNKNOWN that is used for NT-SRV-HST. Either way, I believe
> it's essential to be able to override that policy by being able to
> provide a negative list and/or turn off the feature entirely
> (preferably both).
Without explicitly deciding that name types are going to be important
parts of the request (and outside of the NT-ENTERPRISE proposal, I
don't think they are particularly, but maybe that's enough), I think
I'd be more comfortable keeping the logic the same, or more similar,
at least for now.
Having a separate flag to turn it off altogether sounds okay -- but
I'm curious why people think it's needed.
If we assume (and I'm not sure it's valid) that the reason to suppress
this handling based on first-component strings is to permit the admin
to identify the service names that are not actually host-based names,
then one could make an argument for always doing the processing for NT-
SRV-HST without exception, and using heuristics (including the
positive or negative first-component list in the config file) to
figure out if an NT-UNKNOWN name is really host-based. Does that
sound reasonable, or are there other reasons to suppress referral
processing for a specific service name that really is host-based?
More information about the krbdev