Thank you for pointing that out Jeff !! But a little correction: Heimdal does support Cross-realm referral.
Cheers, lara --- Jeffrey Hutzelman <[EMAIL PROTECTED]> wrote: > > > On Tuesday, March 30, 2004 06:13:20 -0800 Lara > Adianto > <[EMAIL PROTECTED]> wrote: > > > I have a doubt on the following line: > > Target Name: HOST/[EMAIL PROTECTED] > > Shouldn't the client send a TGS_REQ for > > HOST/[EMAIL PROTECTED] instead ? > > > > But if my doubt is correct, how can the client > know > > that test_w2kserver is in LARA_W2K realm and not > > LARA_HMD ? > > In the traditional scenario, services are named > using principal names like > service/fully.qualified.domain.name, where <service> > could be "host" or > some more specific name, depending on what service > you're talking to. The > default assumption is that the realm of such a > service is computed by > dropping the first component of the host's fully > qualified name, and > upcasing the rest. So > service/fully.qualfiied.domain.name would be in the > realm QUALIFIED.DOMAIN.NAME. Each client then has a > configuration file > which describes variations on and exceptions to this > algorithm. > > Microsoft chose a different approach, the main > intent of which is to > concentrate service-to-realm mappings in the KDC's, > eliminating the need to > distribute a complex configuration file to every > client. In this model, a > client always starts by assuming the service is in > the user's home realm, > and thus sends a TGS request to the user's home KDC. > If the service > actually is in that realm, it gets a ticket back. > If not, the KDC is > expected to send a cross-realm referral, in the form > of a cross-realm TGT > for the correct realm (or a least another realm > that's "closer" to the > correct realm). > > The main problem you're seeing is that the heimdal > KDC does not issue > cross-realm referrals. As a result, you cannot > contact any service not in > your home realm. > > If your client machine is a member of the LARA_W2K > domain, then it is > possible under certain circumstances to convince it > that it should try > sending requests to that realm as well. I'm not > familiar with exactly what > needs to be done, but I'd hope the Microsoft > Kerberos interop document > would cover this case. > > Good luck... > > -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> > Sr. Research Systems Programmer > School of Computer Science - Research Computing > Facility > Carnegie Mellon University - Pittsburgh, PA > ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/ ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos