AdressLess Ticket restriction by KDC server side

Jeffrey Altman jaltman at secure-endpoints.com
Tue Mar 25 12:27:44 EDT 2008


Andrea Cirulli wrote:
> The problem is properly that I'm in an environment in which there are 
> some old clients, which doesn't request for addressless tickets and 
> doesn't not care about the entry noaddresses= true.
>
> This is the reason for which I'm looking for a kdc server side solution.
>
> Andrea Cirulli 
Feature requests can be sent to krb5-bugs at mit.edu.

Implementing what you desire has been done at other sites by patching 
the KDC.
However, at least one site ran into problems when they discovered that 
they had services
that were being used by the old clients that required the addresses in 
the tickets.

The modification then became a per service principal option which indicated
whether or not addresses would be included. 

Unfortunately, these changes are not publicly accessible.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080325/998cb563/attachment.bin


More information about the Kerberos mailing list