[38692] in Kerberos
Re: referrals and canonicalization
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Thu Feb 27 14:24:37 2020
MIME-Version: 1.0
In-Reply-To: <CAP9ATsJd2jo_d09kwAMOY3p5y3gQ_9_71RhakciRJbZSSj0HSg@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 27 Feb 2020 20:23:59 +0100
Message-ID: <CAC-fF8TDTSC2myHAgyEQQ4nUuk=0vX=GJdHAqCerF__kEkjk9w@mail.gmail.com>
To: Ben Gooley <bgooley@cloudera.com>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Feb 27, 2020 at 8:03 PM Ben Gooley <bgooley@cloudera.com> wrote:
>
> Hello everyone,
>
> Java just decided to support Kerberos referrals and canonicalization and it
> is turned on by default.
> This brings up a question about implementation in MIT Kerberos:
>
> Does MIT Kerberos support referrals by default or must canonicalization be
> turned on in order to handle referrals?
Can you be more specific, what use case exactly do you have in mind.
Roughly, I think in MIT, both client and KDC won't do referrals if the
canonicalize flag was not set on the request, but it is often set
automatically.
BTW, I my opinion, we shouldn't care about the canonicalize flag for
referrals. Windows doesn't seem to really care either (they'll return
both client and server referrals, even with the flag off), I think MS
just abused this flag in RFC 6806 as a generic excuse flag whenever
they deviated from RFC 4120 (while they only use the flag for
canoicalization purposes).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
