Kerberos dev project for review: domain_realm mapping via KDC referral
Sam Hartman
hartmans at MIT.EDU
Sat May 10 13:44:36 EDT 2008
>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz at cmu.edu> writes:
Jeffrey> --On Tuesday, April 29, 2008 09:37:21 AM -0700 "Henry
Jeffrey> B. Hotz"
Jeffrey> <hotz at jpl.nasa.gov> wrote:
>> Since "host-based" is the normal situation
Jeffrey> That's a big assumption. But it probably holds when the
Jeffrey> requested service principal name type is NT-SRV-HST.
Jeffrey> IMHO, this form of referrals should probably apply only
Jeffrey> when the principal name is of that type or of type
Jeffrey> NT-SRV-HST-DOMAIN (in which case you need to apply
Jeffrey> domain_realm mapping to the _third_ component, not the
Jeffrey> second).
Jeffrey> It should not be applied when the requested name type is
Jeffrey> NT-UNKNOWN, perhaps unless the first component is found
Jeffrey> in a list of services for which such mapping should be
Jeffrey> done.
I strongly agree with Jeff here. I think that the name type is an
important part of referral processing. We should default to on for
hostbased services and default to off for other services. I'm not
convinced we need a negative list--a list of cases where even for
hostbased services you don't want referrals, but I do think we want a
positive list--for nt-unknown where you want to support hostbased
services.
If changes along these lines were made I could vote in support of the project.
More information about the krbdev
mailing list