patch: KDC default referral feature

Richard Silverman res at
Wed Jan 2 14:36:54 EST 2013

On Wed, 2 Jan 2013, Greg Hudson wrote:

> On 01/02/2013 12:56 PM, Richard Silverman wrote:
>>> (I'm also not sure why you can't get almost all of the desired behavior
>>> with the existing [domain_realm] referral support.)
>> As I mentioned in the initial writeup, our host/realm mapping is not lined
>> up with host domain names, and Unix clients normally find realms using
>> _kerberos DNS TXT records for this reason [...]
> I'm not suggesting you keep the complete map in the KDC configuration.
> I'm suggesting that a single [domain_realm] entry for ".domain = AD"
> would have basically the same effect as "default_referral_realm = AD".

That's true as far as the referral target is concerned; the real point of
the feature, though, is the option to refuse to issue a referral for a
cross-realm TGT in order to avoid loops -- and as I think about it,
perhaps it's better to just implement that, if you can you have a true
catch-all in [domain_realm] with "* = AD" or ". = AD", or some such.

The real problem is that the Windows and Unix views of realm membership
are simply not coordinated, and there's no easy way to make them be:
Windows looks at its global catalog and TLN rules, while Unix looks at its
completely separate configuration (and the DNS, if you're a client). When
we added TLNs to the Windows configuration years ago, that solved the
problem in one direction with an effective default. It happens regularly
that Windows clients ask for non-existent AD principals (which *would* be
in AD, if the services existed), and now instead of getting "no such
principal" response from AD, they get referred to Unix instead (which then
says "no such principal"). It would be a problem if there were collisions
here, but that doesn't happen because the service names are host-specific
and hosts are in either one realm or the other.

Being able to use "optimistic" referrals (if you will) in both directions
allows us to solve the problem in the other direction (which we didn't run
into in practice until recently, just because of the applications we were
using).  It works reliably and with minimal configuration, but it means we
have to avoid referral loops. So far, the same-realm-TGT restriction in
the KDC has done this for us nicely.


More information about the krbdev mailing list