Split IAKERB for local KDCs cross-realm setup?
Nico Williams
nico at cryptonector.com
Fri Mar 28 15:07:14 EDT 2025
On Fri, Mar 28, 2025 at 08:55:43PM +0200, Alexander Bokovoy via krbdev wrote:
> [... stuff about KDCs accessed over Unix domain sockets ...]
Sure, if you know this (local configuration) or can trivially test for
this then that's cheap and timeout-free. (Is the AF_LOCAL server a
proxy? I guess it would be.)
Presumably the initiator can also know about its start TGT's realm's
KDC's reachability if it acquired it itself.
"Prestashing" is a technique where tickets are orchestrated into place
where they are needed, and in those cases the initiator needs a clue as
to whether the start realm's KDCs are reachable. But if the initiator's
start TGT came from an AS exchange done locally w/o IAKERB then the
initiator can know this (e.g., as an attribute in the ccache file) and
just try contacting that realm's KDCs directly.
Don't forget that we could use ccconfig entries for some of these
things, so even in the prestash case clues can be given to the
initiator. And the ccache and its config entries can be used to track
failures to reach KDCs so that at least retries can go differently even
if that yields a sucky UX.
Nico
--
More information about the krbdev
mailing list