Re: Kerberos referrals

Wed, 09 Nov 2005 23:05:52 -0800 

Kevin Coffman wrote:

On 11/9/05, Josh Howlett <[EMAIL PROTECTED]> wrote:


Kevin Coffman wrote:


We started with a patch that assumed all referrals would go to one place.

We had a need to send referrals to either a test Windows forest or a
production forest.  That is where the [domain_referral] stuff came
from.  Then we found that some requests were coming in without
fully-qualified names, and therefore we could not determine the
"right" place for the referral.  For those requests, we send the
referral to the default place, which in our case is to the production
forest.


Kevin,

Do you think it would be possible to introduce an MIT KDC into an
existing AD environment, such that W2K clients in the AD realm (if
making a request for an unknown principal) can get referred to the MIT
KDC's "default" place?



I think you're asking if an AD KDC can send a client a referral to an
MIT KDC.  If that is correct, then I don't know the answer.  If it
isn't correct, could you restate the question?


We have an existing AD KDC which contains all of our user principals.
We would like to enable these users to access applications in other remote realms, but because these realms are very numerous we don't want to establish cross-realm relationship with each of them.
Instead, would it be possible to implement a MIT KDC that acted *purely* (ie. no user principals) as a "referral realm". The referral agent would know (and have a trust relationship with) each other remote realm. 

          Referral realm
            /    |    \
           /     |     \
     Realm A   Realm B  Realm C   (actually many more of these)
       /                  \
     User                Application
Assuming Realm A is an AD, there is the additional problem that Windows doesn't provide referrals to realms it doesn't explicitly know about.
Hence, it seems necessary to have a "shim" between the User and the realm's AD KDC that can catch the requests for remote principals, and refer the User to the Referral realm. Would it be possible to implement this using the MIT referral system, without making significant changes to the existing AD? 

  Referral realm
        |
    ------- Realm A ---
        |
 User--MIT--Windows KDC & AD

Does that help?

josh.
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to