From 403a445f5b2e69232c8c5f4789ef2a8787c44f2d Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Fri, 8 Oct 2021 02:23:44 -0500
Subject: [PATCH] krb5: Document TGS HDB entry alias referral feature

---
 lib/krb5/krb5.conf.5 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 92475615d..9b2994bf4 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -521,6 +521,21 @@ The default value is false.
 .El
 .It Li [domain_realm]
 This is a list of mappings from DNS domain to Kerberos realm.
+.Pp
+It is used by the client and the TGS both to determine the realm
+of host-based service principal names based on the principal's
+hostname component.
+.Pp
+The client may try DNS to determine a host's realm; see the
+`dns_lookup_realm' parameter, and see below.
+.Pp
+The TGS will issue a referral when a host-based service does not
+exist in the requested realm but can be mapped with these rules
+to a different realm.
+The TGS will also issue a referral when a host-based service
+exists in the requested realm as an alias of a service in another
+realm.
+.Pp
 Each binding in this section looks like:
 .Pp
 .Dl domain = realm