[krbdev.mit.edu #7483] KDC can return host referral to its own realm
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Dec 6 20:43:23 EST 2012
If we don't find the service principal in a TGS request, and it looks
like a host-based principal, we return a realm referral if we can look up
the realm in the KDC's domain_realm configuration.
We should not do this if the realm we find is the same as the service
realm. Receiving a referral back to the same realm is only going to
confuse the client. In the best case, the client will detect this case
and fall back to a request without the canonicalize flag (see #4955 and
#7016); in the worst case, the client might overwrite its cached local
TGT (reportedly true on OS X 10.7).
More information about the krb5-bugs
mailing list