[32306] in Kerberos
Re: Problems with TGS referral ...
daemon@ATHENA.MIT.EDU (Tom Yu)
Tue May 4 16:53:53 2010
To: "Richard E. Silverman" <res@qoxp.net>
From: Tom Yu <tlyu@mit.edu>
Date: Tue, 04 May 2010 16:53:40 -0400
In-Reply-To: <m2wrvk45y9.fsf@darwin.oankali.net> (Richard E. Silverman's
message of "Tue, 04 May 2010 01:00:14 -0400")
Message-ID: <ldvpr1be6cr.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Richard E. Silverman" <res@qoxp.net> writes:
> The MIT code also requires that the principal type in the request be
> NT-HST-SRV in order for it to automatically issue referrals; Windows,
> however, sets the type to NT-HST-SRV. The logic is this (comments taken
I think you mean NT-SRV-INST.
> Given this, I had to patch the code to get it working, but it does work.
> Also, you have to code the host->realm mappings for hosts you want
> referrals on into krb5.conf; it doesn't seem to use the DNS for this
> (_kerberos TXT RR's). You'd have to be careful with that anyway; it would
> be very easy to get referral loops, given that the Windows and Unix views
> of realm membership don't match up.
This should be fixed in krb5-1.8.1. See RT ticket #6685:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6685
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
