When enterprise names are used we may know that a particular Name belongs to a different realm we know of (for example via trusts).
In that case the DB driver can return a referral to the client to direct it to ask to a different KDC/Realm.
We should use this feature to redirect AD users of a trusted realm trying to authenticate against our KDC as this can reduce the need to set CApaths in client machines and improve interop.
Note: we can probably use the same method also for TGS requests.
It seems that this ticket is a duplicate of #3559 and #3983
Agreed - closing as duplicate to #3559.
Metadata Update from @simo: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.0 Backlog
Login to comment on this ticket.