-
Title
Should use-server-referrals be used in vas.conf? -
Description
The entry for use-server-referrals in the vas.conf man page has the following statement, can it still be used:
WARNING: This setting is now obsolete. Functionality for server referrals is now built into the current Heimdal kerberos library
being used. This setting should no longer be needed, and setting it could cause odd behavior cross forest. -
Resolution
The use-server-referrals setting should not be used.
In some situations it can cause vasd to lock up. Certain cross forest logins can trigger this. The main issue it was made to fix is fixed in the heimdal we now use.
The setting makes a bad request work. For example, if I want to talk to a server in domain B, but I send the request to domain A, referrals makes it ask in such a way that domain A can tell us we really need to go to domain B.
It's main use was around ssh gssapi passwordless login, making sure we talk to the right domain without having to set [domain_realm].
The use-server-referrals setting helps smooth over invalid requests so if you are seeing an issue with running ldap commands for example after disabling use-server-referrals something is invalid.