capath and transitivity
Greg Hudson
ghudson at MIT.EDU
Thu Sep 1 12:19:57 EDT 2011
On Thu, 2011-09-01 at 05:49 -0400, Fabrice Bacchella wrote:
> [capaths]
> R1 = {
> R3 = R2
> R2 = R2
> R1 = .
> }
> R2 = {
> R3 = R3
> R2 = .
> R1 = R1
> }
> R3 = {
> R1 = R2
> R2 = R2
> R3 = .
> }
I believe you can simplify that to:
[capaths]
R1 = {
R3 = R2
R2 = .
}
R2 = {
R1 = .
R3 = .
}
R3 = {
R1 = R2
R2 = .
}
"." means "these two realms share keys directly", and there's never a
need to look up {capaths, Rn, Rn}.
> What's the point of a TGS for krbtgt/R3 at R1 on kdc.d2 ? I expected a
> TGS_REQ for krbtgt/R3 at R2.
That's a previously unknown bug introduced in krb5 1.9. I think it's
gone unnoticed until now because an MIT KDC at R2 will paper over the
problem by returning krbtgt/R3 at R2 in response to the krbtgt/R3 at R1
request.
I can provide a patch (it's a one-liner), but since you're using an OS
distribution of krb5 I imagine it wouldn't be convenient to use.
Unfortunately, I can't think of a good workaround. The fix should be in
1.9.2.
More information about the Kerberos
mailing list