KDC query client performance

[Greg Hudson]

On Mon, 2011-02-14 at 13:14 -0500, Henry B. Hotz wrote:
> Agree with the eventual goal.  Maybe it's just me, but I'm not yet
> comfortable with depending on referrals instead of the traditional
> realm/domain-walk.  Wouldn't want it turned off by default until
> Solaris 10 clients support referral tickets by default (which I
> haven't checked).

We wouldn't be relying on service principal referrals.  We'd be relying
on the behavior where if you ask a KDC for krbtgt/OTHERREALM at LOCALREALM,
the KDC performs the realm walk internally (or uses its own capaths
configuration) and responds with an intermediate TGT.  That KDC logic
has been implemented since at least MIT krb5 1.1 and probably every
release of Heimdal and Active Directory.

I'm not sure how Solaris 10 client behavior would have an impact on this
anyway, since we're not talking about changing KDC logic.

To elaborate, let's say you're in the realm MY.HOME.REALM.COM and you
try to "ssh dialup.far.off.org", where far.off.org has never heard of
Kerberos and certainly has no mapping in your client's domain_realm
profile.  Currently we will try referrals first (so we'll query
host/dialup.far.off.org at LOCALREALM with referrals).

When that comes up empty we'll guess that the machine might be in the
FAR.OFF.ORG realm and query for krbtgt/FAR.OFF.ORG at MY.HOME.REALM.COM.
That part's great and we'll keep doing it.  What we don't want is for
the client to keep trying intermediate realm candidates:

  krbtgt/OFF.ORG at MY.HOME.REALM.COM
  krbtgt/ORG at MY.HOME.REALM.COM
  krbtgt/COM at MY.HOME.REALM.COM
  krbtgt/REALM.COM at MY.HOME.REALM.COM
  krbtgt/HOME.REALM.COM at MY.HOME.REALM.COM

These queries are all pointless; we have high confidence that the KDC
already searched for those principals when the client made its initial
krbtgt query.