On Thu, Feb 27, 2020 at 8:03 PM Ben Gooley <bgoo...@cloudera.com> wrote: > > Hello everyone, > > Java just decided to support Kerberos referrals and canonicalization and it > is turned on by default. > This brings up a question about implementation in MIT Kerberos: > > Does MIT Kerberos support referrals by default or must canonicalization be > turned on in order to handle referrals?
Can you be more specific, what use case exactly do you have in mind. Roughly, I think in MIT, both client and KDC won't do referrals if the canonicalize flag was not set on the request, but it is often set automatically. BTW, I my opinion, we shouldn't care about the canonicalize flag for referrals. Windows doesn't seem to really care either (they'll return both client and server referrals, even with the flag off), I think MS just abused this flag in RFC 6806 as a generic excuse flag whenever they deviated from RFC 4120 (while they only use the flag for canoicalization purposes). ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
