From 21ada15e0846cb74c37c6f129ff870d8ece66cfa Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Tue, 3 Jan 2023 01:34:03 -0600 Subject: [PATCH] krb5: Expand breadcrumb commentary in _krb5_get_host_realm_int() --- lib/krb5/get_host_realm.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/lib/krb5/get_host_realm.c b/lib/krb5/get_host_realm.c index 1fbc4185a..fdf851340 100644 --- a/lib/krb5/get_host_realm.c +++ b/lib/krb5/get_host_realm.c @@ -220,11 +220,20 @@ _krb5_get_host_realm_int(krb5_context context, /* * If 'p' is NULL, we did not find an explicit realm mapping in either the - * configuration file or DNS. Try the hostname suffix as a last resort. + * configuration file or DNS. Try the hostname suffix -upcased- as a realm + * as a last resort. * - * XXX: If we implement a KDC-specific variant of this function just for - * referrals, we could check whether we have a cross-realm TGT for the - * realm in question, and if not try the parent (loop again). + * NOTE: If we implement a KDC-specific variant of this function just for + * referrals, we could check whether we have a cross-realm TGT for the + * realm in question, and if not try the parent (loop again). Such a + * variant would have to have access to the HDB, naturally. + * + * We should start by adding an argument to this function that + * indicates whether this fallback here is desired (the KDC wouldn't + * desire it). Then when the KDC gets KRB5_ERR_HOST_REALM_UNKNOWN + * from this function, the KDC would search the HDB for cross-realm + * krbtgt principals that denote a hierarchical path to a realm that + * matches the host's domain suffix (or a suffix of it...). */ if (p == NULL) { p = strchr(host, '.');