Kerberos dev project for review: domain_realm mapping via KDC referral

Jeffrey Hutzelman jhutz at
Fri May 9 17:52:01 EDT 2008

--On Friday, May 09, 2008 03:26:18 PM -0400 Ken Raeburn <raeburn at> 

> Does that
> sound reasonable, or are there other reasons to suppress referral
> processing for a specific service name that really is host-based?

I think it is desirable to be able to suppress referral processing for a 
service which would otherwise be considered host-based.  For a particularly 
sensitive service, I might want to avoid issuing referrals for a mistyped 
name that looks like it belongs in another realm.  We have hosts with names 
containing 5 or even 6 labels; I'm sure I can construct examples in which 
mistyping one near the end or leaving one off entirely results in a name 
for which the KDC might issue a referral.

-- Jeff

More information about the krbdev mailing list