[krbdev.mit.edu #7709] Wrong order in kdc_check_transited_list()
Sumit Bose via RT
rt-comment at krbdev.mit.edu
Wed Sep 25 08:03:19 EDT 2013
Hi,
I think there is an issue in kdc_check_transited_list(). Currently the
capaths from krb5.conf are checked first and then a method from a KDB
plugin is called, if defined.
If the request comes from a realm which is not in the same DNS hierarchy
and krb5.conf does not contain any capaths I would expect that the
method from the KDB plugin will be call. But currently it is skipped
becasue krb5_check_transited_list() will return an error. If no
capaths are available a tree derived from the DNS hierarchy
(rtree_hier_tree) will be used and this will always fail if the request
is not coming form the same hierarchy.
As a result the method from the KDB plugin will never be called and
defining capaths in krb5.conf is always necessary and cannot be replaced
by a KDB plugin.
bye,
Sumit
More information about the krb5-bugs
mailing list