KDB and referrals/aliases

Greg Hudson ghudson at MIT.EDU
Wed Sep 2 14:44:19 EDT 2009

Okay.  To re-summarize Luke's message:

1. Currently we are not returning aliases in server lookups unless the
client understands referrals (i.e. it set the canonicalize protocol
flag).  This is unnecessarily limiting.

2. The easiest way to change this is to abuse the
KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY flag as an indication that the
lookup is for a client principal.

3. The above change would have the side effect of making kadmin's
"getprinc" see aliases.  I'm not sure if this is a real concern.  If it
is, it could be addressed by adding new DAL interfaces for
administrative operations.

4. We could restructure the flags to make things clearer, but at a
penalty to Novell (and theoretically to anyone else who has made a
custom 1.7 back end).

I am okay with using comments to address the lack of clarity of (2),
although it's disappointing.  I am okay with leaving (3) unsolved since
I'm not sure it's any better for getprinc to fail on an alias name.

More information about the krbdev mailing list