[krbdev.mit.edu #1230] Confirmed broken but test tools all seem to indicate it should work
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Sun Oct 27 17:52:20 EST 2002
I tried the test again with a setup where I controlled all the KDCs
involved. I still get denied by KDC policy.
However,
hartmans at tir-na-nogth:kdc(1512)> ./rtest "" SUCHDAMAGE.ORG FOO.SUCHDAMAGE.ORG ATHENA.MIT.EDU
SUCHDAMAGE.ORG
hartmans at tir-na-nogth:krb(1514)> ./t_expand -v FOO.SUCHDAMAGE.ORG ATHENA.MIT.EDU SUCHDAMAGE.ORG
krb5_check_transited_list(trans="SUCHDAMAGE.ORG", crealm="FOO.SUCHDAMAGE.ORG", srealm="ATHENA.MIT.EDU")
tgs list = {
'krbtgt/FOO.SUCHDAMAGE.ORG at FOO.SUCHDAMAGE.ORG'
'krbtgt/SUCHDAMAGE.ORG at FOO.SUCHDAMAGE.ORG'
'krbtgt/ORG at SUCHDAMAGE.ORG'
'krbtgt/EDU at ORG'
'krbtgt/MIT.EDU at EDU'
'krbtgt/ATHENA.MIT.EDU at MIT.EDU'
}
client realm: FOO.SUCHDAMAGE.ORG
server realm: ATHENA.MIT.EDU
transit enc.: SUCHDAMAGE.ORG
.. checking 'SUCHDAMAGE.ORG'
YES
And looking at the KDC code in do_tgs_req.c I do not see obvious problems.
More information about the krb5-bugs
mailing list