RFR 8215032: Support Kerberos cross-realm referrals (RFC 6806)
Martin Balao
mbalao at redhat.com
Thu Jun 6 15:38:21 UTC 2019
Hi Max,
On 6/5/19 10:20 PM, Weijun Wang wrote:
> For the server referral part, I think we can clone some existing cross-realm authentication test and remove the [domain_realm] part in the client's krb5.conf and see if the authentication still succeeds.
I'm not sure why you would remove the dns - realm information from
there. Perhaps you meant the static paths. But unless the KDC has
information to refer to a different KDC, this should not work.
For the client part, do you have a test procedure?
>
My real testing environment is Windows 2016 based and includes 3
servers, which I've configured through a series of PowerShell commands.
My understanding is that you prefer to use MIT's krb5 server so this
won't be useful.
I'm not sure how you did configure your MIT's krb5 server but my
understanding is that something as described/implemented by the
"cross_realms" function [1] [2] is needed. Referral information is added
in the form of "adding principals" [3].
Thanks,
Martin.-
--
[1] - https://github.com/krb5/krb5/blob/master/src/util/k5test.py#L177
[2] - https://github.com/krb5/krb5/blob/master/src/util/k5test.py#L1144
[3] - https://github.com/krb5/krb5/blob/master/src/util/k5test.py#L1200
More information about the security-dev
mailing list