Followup on the referral discussion
Isaac Boukris
iboukris at gmail.com
Sat Dec 21 14:37:27 EST 2019
Hi Greg, all
Later last week, I had a call with metze in which he corrected me
about a couple of things I mentioned in our discussion. In short,
unlike what I said, referrals should always work in windows env, for
both forest and external trusts.
He also suggested that making assumption based on the name type, on
the client side is not correct, and that we should not override the
realm when requested but rather chase referrals to krbtgt/srealm and
then chase again referrals to server (and that could be made to work
with netbios realms, if canonicalize is set).
These two stages can easily be applied to cross-realm S4U2Self, just
s/srealm/icrealm, but not to RBCD as far as I can think of.
Isaac
More information about the krbdev
mailing list