Kerberos dev project for review: domain_realm mapping via KDC referral

Sam Hartman hartmans at MIT.EDU
Sat May 10 13:44:36 EDT 2008

>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz at> writes:

    Jeffrey> --On Tuesday, April 29, 2008 09:37:21 AM -0700 "Henry
    Jeffrey> B. Hotz"
    Jeffrey> <hotz at> wrote:

    >> Since "host-based" is the normal situation

    Jeffrey> That's a big assumption.  But it probably holds when the
    Jeffrey> requested service principal name type is NT-SRV-HST.
    Jeffrey> IMHO, this form of referrals should probably apply only
    Jeffrey> when the principal name is of that type or of type
    Jeffrey> NT-SRV-HST-DOMAIN (in which case you need to apply
    Jeffrey> domain_realm mapping to the _third_ component, not the
    Jeffrey> second).

    Jeffrey> It should not be applied when the requested name type is
    Jeffrey> NT-UNKNOWN, perhaps unless the first component is found
    Jeffrey> in a list of services for which such mapping should be
    Jeffrey> done.

I strongly agree with Jeff here.  I think that the name type is an
important part of referral processing.  We should default to on for
hostbased services and default to off for other services.  I'm not
convinced we need a negative list--a list of cases where even for
hostbased services you don't want referrals, but I do think we want a
positive list--for nt-unknown where you want to support hostbased

If changes along these lines were made I could vote in support of the project.

More information about the krbdev mailing list