KDC query client performance
Henry B. Hotz
hotz at jpl.nasa.gov
Mon Feb 14 14:10:17 EST 2011
Thanks for the clarification, especially of the client/KDC overlap. That reduces my discomfort considerably.
On Feb 14, 2011, at 10:36 AM, Greg Hudson wrote:
> On Mon, 2011-02-14 at 13:14 -0500, Henry B. Hotz wrote:
>> Agree with the eventual goal. Maybe it's just me, but I'm not yet
>> comfortable with depending on referrals instead of the traditional
>> realm/domain-walk. Wouldn't want it turned off by default until
>> Solaris 10 clients support referral tickets by default (which I
>> haven't checked).
>
> We wouldn't be relying on service principal referrals. We'd be relying
> on the behavior where if you ask a KDC for krbtgt/OTHERREALM at LOCALREALM,
> the KDC performs the realm walk internally (or uses its own capaths
> configuration) and responds with an intermediate TGT. That KDC logic
> has been implemented since at least MIT krb5 1.1 and probably every
> release of Heimdal and Active Directory.
>
> I'm not sure how Solaris 10 client behavior would have an impact on this
> anyway, since we're not talking about changing KDC logic.
>
> To elaborate, let's say you're in the realm MY.HOME.REALM.COM and you
> try to "ssh dialup.far.off.org", where far.off.org has never heard of
> Kerberos and certainly has no mapping in your client's domain_realm
> profile. Currently we will try referrals first (so we'll query
> host/dialup.far.off.org at LOCALREALM with referrals).
>
> When that comes up empty we'll guess that the machine might be in the
> FAR.OFF.ORG realm and query for krbtgt/FAR.OFF.ORG at MY.HOME.REALM.COM.
> That part's great and we'll keep doing it. What we don't want is for
> the client to keep trying intermediate realm candidates:
>
> krbtgt/OFF.ORG at MY.HOME.REALM.COM
> krbtgt/ORG at MY.HOME.REALM.COM
> krbtgt/COM at MY.HOME.REALM.COM
> krbtgt/REALM.COM at MY.HOME.REALM.COM
> krbtgt/HOME.REALM.COM at MY.HOME.REALM.COM
>
> These queries are all pointless; we have high confidence that the KDC
> already searched for those principals when the client made its initial
> krbtgt query.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list