anonymous realm and host realm referrals

[Sam Hartman]

Principals in the anonymous realm work very poorly with client side host
realm referrals.
Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS

Valid starting     Expires            Service principal
12/17/09 12:25:01  12/17/09 22:25:01  krbtgt/SUCHDAMAGE.ORG at SUCHDAMAGE.ORG

hartmans at live:build(437)> kvno -S host luminous.suchdamage.org
kvno: Cannot find ticket for requested realm while getting credentials for host/
luminous.suchdamage.org@


What's going on here is that I don't have a domain_realm mapping for
luminous.suchdamage.org.  So,the library returns a null realm indicating
I should try the client KDC.
Within the library  I look at the default principal for my ccache and
try and send the request to that realm.  So, I try and send a request
for host/luminous.suchdamage.org at WELLKNOWN:ANONYMOUS.

That fails because I don't have a krbtgt/WELLKNOWN:ANONYMOUS ticket.
If I did have such a ticket it would still fail because  sendto_kdc
can't find the address of the WELLKNOWN:ANONYMOUS realm.

I can see several approaches:

1) Ignore the issue.  The primary use cases for the anonymous project
are kadmin and FAST armor tickets.  This does not become a problem for
either use case.

2) Store WELLKNOWN/ANONYMOUS at REALM in the ccache not
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS.  This is problematic because
you cannot distinguish fully anonymous tickets received via the AS
request from partially anonymous tickets received via the TGS req.  We
don't currently support the second class of tickets, but the draft does
and we may some day.

3) Introduce functionality to find the first TGT in the ccache when
trying to contact the client's KDC and using the anonymous realm.

I favor option 1 for now with option 3 in the future.