capath and transitivity
Fabrice Bacchella
fbacchella at spamcop.net
Thu Sep 1 12:33:59 EDT 2011
Le 1 sept. 2011 à 18:19, Greg Hudson a écrit :
> I believe you can simplify that to:
>
I know, I tried that to be sure to not miss something.
>> What's the point of a TGS for krbtgt/R3 at R1 on kdc.d2 ? I expected a
>> TGS_REQ for krbtgt/R3 at R2.
>
> That's a previously unknown bug introduced in krb5 1.9. I think it's
> gone unnoticed until now because an MIT KDC at R2 will paper over the
> problem by returning krbtgt/R3 at R2 in response to the krbtgt/R3 at R1
> request.
>
Some unit tests should be added ?
> I can provide a patch (it's a one-liner), but since you're using an OS
> distribution of krb5 I imagine it wouldn't be convenient to use.
> Unfortunately, I can't think of a good workaround. The fix should be in
> 1.9.2.
>
>
Thanks, that's a great new. At least I know now that I'm not totally stupid. I will keep an eye on upstream's updates from now.
More information about the Kerberos
mailing list