Kerberos dev project for review: domain_realm mapping via KDC referral
Jeffrey Hutzelman
jhutz at cmu.edu
Fri May 9 17:52:01 EDT 2008
--On Friday, May 09, 2008 03:26:18 PM -0400 Ken Raeburn <raeburn at mit.edu>
wrote:
> Does that
> sound reasonable, or are there other reasons to suppress referral
> processing for a specific service name that really is host-based?
I think it is desirable to be able to suppress referral processing for a
service which would otherwise be considered host-based. For a particularly
sensitive service, I might want to avoid issuing referrals for a mistyped
name that looks like it belongs in another realm. We have hosts with names
containing 5 or even 6 labels; I'm sure I can construct examples in which
mistyping one near the end or leaving one off entirely results in a name
for which the KDC might issue a referral.
-- Jeff
More information about the krbdev
mailing list