svn rev #18598: trunk/ src/appl/telnet/libtelnet/ src/include/ src/include/krb5/ ...
hartmans@MIT.EDU
hartmans at MIT.EDU
Wed Sep 20 21:48:54 EDT 2006
Commit By: hartmans
Log Message:
ticket: 2652
Owner: amb
Set the canonicalize flag in TGS requests and accept cross-realm referral tickets.
We do not yet accept tickets in which the server name changes.
* krb5_sname_to_principal: If there is no domain realm mapping return null realm
*krb5_get_cred_via_tkt: New behavior as described below
1) the referrals case:
- check for TGT for initial realm
- if a remote realm was specified (which must have happened via a
domain_realm mapping), obtain a TGT for it the standard way and
start with that.
- use client realm for server if not specified
- iterate through this loop:
- request ticket with referrals turned on
- if that fails:
- if this was the first request, punt to non-referrals case
- otherwise, retry once without referrals turned on then terminate
either way
- if it works, either use the service ticket or follow the referral path
- if loop count exceeded, hardfail
2) the nonreferrals case
- this is mostly the old walk_realm_tree TGT-finding (which allows
limited shortcut referrals per 4120) followed by a standard tgs-req.
- originally requested principal is used for this, although if we were
handed something without a realm, determine a fallback realm based on
DNS TXT records or a truncation of the domain name.
Changed Files:
_U trunk/
U trunk/src/appl/telnet/libtelnet/kerberos5.c
U trunk/src/include/k5-int.h
U trunk/src/include/krb5/krb5.hin
U trunk/src/lib/krb5/krb/copy_princ.c
U trunk/src/lib/krb5/krb/gc_frm_kdc.c
U trunk/src/lib/krb5/krb/gc_via_tkt.c
U trunk/src/lib/krb5/krb/parse.c
U trunk/src/lib/krb5/krb/princ_comp.c
U trunk/src/lib/krb5/krb/walk_rtree.c
U trunk/src/lib/krb5/libkrb5.exports
U trunk/src/lib/krb5/os/hst_realm.c
U trunk/src/lib/krb5/os/sn2princ.c
U trunk/src/lib/krb5_32.def
More information about the cvs-krb5
mailing list