On Sat, Jun 01, 2019 at 07:43:42AM +0800, Weijun Wang wrote: > >> This is for export(), where they use > >> "WELLKNOWN:ORG.H5L.REFERALS-REALM" but I hesitate to introduce it. > > > > Heimdal defines that, but doesn't use it. MIT doesn't even define > > it. > > I thought I saw it with MIT but maybe I got the library setting wrong. > Anyway, using macOS's builtin krb5 (is that a Heimdal fork?), export()
OS X's Kerberos implementation is a Heimdal fork, yes. > returns > > 0000: 04 01 00 0B 06 09 2A 86 48 86 F7 12 01 02 02 00 ......*.H....... > 0010: 00 00 31 73 65 72 76 69 63 65 2F 68 6F 73 74 2E ..1service/host. > 0020: 6B 33 78 40 57 45 4C 4C 4B 4E 4F 57 4E 3A 4F 52 k3x@WELLKNOWN:OR > 0030: 47 2E 48 35 4C 2E 52 45 46 45 52 41 4C 53 2D 52 G.H5L.REFERALS-R > 0040: 45 41 4C 4D EALM Oh, interesting. I'll bring up with the other Heimdal maintainers, and MIT as well. I don't see why an empty realm wouldn't work here, and there's no realistic need to interop with OS X as to exported name tokens for non-canonical MNs, but it is supposed to be possible to do so... Of course, for canonical MNs from inquiring an established security context, there would be no "referrals realm", so all implementations would interop as to exported name tokens for those.o Nico --
