[krbdev.mit.edu #5121] keytab code can't match principals with realms not yet determined
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Mon Dec 18 20:25:35 EST 2006
The new referral support code puts determination of the realm of a
service on the KDC. On the client side, in krb5_sname_to_principal, if
we don't have explicit data in the config file (or supplied by the
application), we leave the realm as an empty string rather than applying
unreliable heuristics.
However, if the resulting principal name is used to look up an entry in
a keytab, rather than as the server name to pass off to a KDC, it will
not match any of the entries in the file.
Proposed fix: If an empty realm name is given to the keytab-reading
code, the default realm is used instead.
More information about the krb5-bugs
mailing list