Reason for removing sname check?

Greg Hudson ghudson at MIT.EDU
Wed Oct 10 12:40:12 EDT 2012

On 10/10/2012 11:27 AM, Tomas Kuthan wrote:
> in MIT krb there used to be a check making sure, that the principal name
> of a keytab entry used to decode enc-part of a ticket equals sname from
> that ticket. But this check went away [...]

We removed this check in 1.7 and changed the way rd_req_dec works in
order to support server principal aliases.  You can read a bit about
this at:

We made further changes to the way rd_req_dec works in 1.10 to support
more flexible handling of GSSAPI acceptor names, as described here:

More information about the Kerberos mailing list