Followup on the referral discussion

Greg Hudson ghudson at
Sun Dec 22 02:32:05 EST 2019

On 12/21/19 2:37 PM, Isaac Boukris wrote:
> Later last week, I had a call with metze in which he corrected me
> about a couple of things I mentioned in our discussion. In short,
> unlike what I said, referrals should always work in windows env, for
> both forest and external trusts.

I can interpret this in two different ways, and I'm not sure which is meant:

1. For an external trust, the client has to be told the external realm,
but will then follow any referrals issued by that realm.

2. The local KDC knows how to issue referrals to external realms (how
does it decide which SPNs to do this for?), so the client doesn't behave
any differently than it would for a forest trust.

> He also suggested that making assumption based on the name type, on
> the client side is not correct, and that we should not override the
> realm when requested but rather chase referrals to krbtgt/srealm and
> then chase again referrals to server (and that could be made to work
> with netbios realms, if canonicalize is set).

"Chase referrals to krbtgt/srealm" means asking the local KDC for
krbtgt/srealm, and keep following the issued TGTs until we get there?
If so, that isn't actually a referrals chase in the sense of requiring
RFC 6806 extensions; following alternate TGTs to a realm is specified in
RFC 4120 section 3.3.3.  The second part (following referrals issued by
srealm for the server name) of course requires RFC 6806.

MIT krb5 implements the first part in a pretty complicated way, because
it is supposed to work if either the client or the KDC knows a path to
the specified realm (via [capaths] configuration).

More information about the krbdev mailing list