[krbdev.mit.edu #1230] Hierarchical cross-realm seems broken
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Sun Oct 27 15:25:01 EST 2002
The behavior described here should work as I understand the code. I'm able to reproduce in a test setup as follows:
* FOO.SUCHDAMAGE.ORG shares a key with SUCHDAMAGE.ORG
* I get FOO.SUCHDAMAGE.ORG tickets and ask for tickets in the Athena realm.
* Since SUCHDAMAGE.ORG and ATHENA share tickets, and since the step
from foo.suchdamage.org to suchdamage.org is hierarchical, this
should be allowed.
However here is what I see:
hartmans at tir-na-nogth:bar-test(1414)> ./kinit hartmans
Password for hartmans at FOO.SUCHDAMAGE.ORG:
hartmans at tir-na-nogth:bar-test(1415)> ./kvno host/luminous.mit.edu at ATHENA.MIT.EDU
host/luminous.mit.edu at ATHENA.MIT.EDU: Invalid message type while getting credentials
hartmans at tir-na-nogth:bar-test(1416)> ./kvno host/luminous.mit.edu at ATHENA.MIT.EDU
host/luminous.mit.edu at ATHENA.MIT.EDU: KDC policy rejects request while getting credentials
hartmans at tir-na-nogth:bar-test(1417)>
So, I think this is broken.
More information about the krb5-bugs
mailing list