svn rev #21693: trunk/src/ include/ kdc/

hartmans@MIT.EDU hartmans at MIT.EDU
Sat Jan 3 18:20:32 EST 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=21693
Commit By: hartmans
Log Message:
xrealm_non_transitive not trust_non_transitive

Kerberos does not imply trust in the existence of a cross-realm key.
Trust is implied  when a foreign principal is placed on an ACL: the remote realm
is trusted to authenticate that principal and is trusted
not to confuse one principal with another.
Keep terminology consistent.


Changed Files:
U   trunk/src/include/kdb_ext.h
U   trunk/src/kdc/kdc_util.c
Modified: trunk/src/include/kdb_ext.h
===================================================================
--- trunk/src/include/kdb_ext.h	2009-01-03 23:20:26 UTC (rev 21692)
+++ trunk/src/include/kdb_ext.h	2009-01-03 23:20:31 UTC (rev 21693)
@@ -39,8 +39,8 @@
 #define KRB5_KDB_NO_AUTH_DATA_REQUIRED	0x00400000
 /* Private flag used to indicate principal is local TGS */
 #define KRB5_KDB_TICKET_GRANTING_SERVICE	0x01000000
-/* Private flag used to indicate trust is non-transitive */
-#define KRB5_KDB_TRUST_NON_TRANSITIVE		0x02000000
+/* Private flag used to indicate xrealm relationship  is non-transitive */
+#define KRB5_KDB_xrealm_NON_TRANSITIVE		0x02000000
 
 /* Entry get flags */
 /* Name canonicalization requested */

Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c	2009-01-03 23:20:26 UTC (rev 21692)
+++ trunk/src/kdc/kdc_util.c	2009-01-03 23:20:31 UTC (rev 21693)
@@ -2197,12 +2197,12 @@
 		      krb5_db_entry *krbtgt)
 {
     /* Incoming */
-    if (isflagset(server->attributes, KRB5_KDB_TRUST_NON_TRANSITIVE)) {
+    if (isflagset(server->attributes, KRB5_KDB_xrealm_NON_TRANSITIVE)) {
 	return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
     }
 
     /* Outgoing */
-    if (isflagset(krbtgt->attributes, KRB5_KDB_TRUST_NON_TRANSITIVE) &&
+    if (isflagset(krbtgt->attributes, KRB5_KDB_xrealm_NON_TRANSITIVE) &&
 	(!krb5_principal_compare(context, server->princ, krbtgt->princ) ||
 	 !krb5_realm_compare(context, client, krbtgt->princ))) {
 	return KRB5KDC_ERR_PATH_NOT_ACCEPTED;

More information about the cvs-krb5 mailing list