svn rev #24257: trunk/src/lib/krb5/krb/
hartmans@MIT.EDU
hartmans at MIT.EDU
Wed Aug 25 19:31:59 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24257
Commit By: hartmans
Log Message:
rd_req_decoded: clarify behavior in comment
Changed Files:
U trunk/src/lib/krb5/krb/rd_req_dec.c
Modified: trunk/src/lib/krb5/krb/rd_req_dec.c
===================================================================
--- trunk/src/lib/krb5/krb/rd_req_dec.c 2010-08-25 18:22:53 UTC (rev 24256)
+++ trunk/src/lib/krb5/krb/rd_req_dec.c 2010-08-25 23:31:59 UTC (rev 24257)
@@ -44,7 +44,14 @@
*
* server specifies the expected server's name for the ticket; if NULL, then
* any server will be accepted if the key can be found, and the caller should
- * verify that the principal is something it trusts.
+ * verify that the principal is something it trusts. With the exception of the
+ * kdb keytab, the ticket's server field need not match the name passed in for
+ * server. All that is required is that the ticket be encrypted with a key
+ * from the keytab associated with the specified server principal. This
+ * permits the KDC to have a set of aliases for the server without keeping
+ * this information consistent with the server. So, when server is non-null,
+ * the principal expected by the application needs to be consistent with the
+ * local keytab, but not with the informational name in the ticket.
*
* rcache specifies a replay detection cache used to store authenticators and
* server names
More information about the cvs-krb5
mailing list