Split IAKERB for local KDCs cross-realm setup?

[Greg Hudson]

On 3/27/25 04:52, Alexander Bokovoy via krbdev wrote:
> IAKERB already allows for the acceptor to respond with
> KRB_AP_ERR_IAKERB_KDC_NOT_FOUND in case the KDC was not found, so may be
> what we miss is a check in the IAKERB initiator code to see if that KDC
> is actually our own. Then we can perform local operation in the hope to
> obtain a cross-realm referral.

Do we expect a local operation to succeed in this use case?  That is, 
will the initiator's libkrb5 have the configuration needed to contact 
the local KDC once it knows the realm name, without the IAKERB proxy 
through smbserver?  (As a corollary, in the local-realm case are we only 
using IAKERB for realm discovery, with the subsequent proxying of 
AS-REQs and TGS-REQs happening as a side effect?)

One concern is that IAKERB was originally designed for initiators with 
very limited connectivity.  Attempting direct KDC requests in such an 
environment could lead to a timeout.  Having a cached TGT for a realm 
isn't strong evidence that the initiator can contact that realm, as the 
credentials may have been obtained using a previous invocation of IAKERB.

That said, I don't have any evidence that IAKERB is being used in the 
environment it was designed for.