disallow requests naming principal as a service

Matt Crawford crawdad at fnal.gov
Tue Mar 26 10:19:00 EST 2002

> Thanks Nico, this solution looks OK to me.
> It modifies the current semantics of KRB5_KDB_DISALLOW_SVR 
> a bit -- hope that's OK.  Besides allowing U2U on a princ that is

The proposed change is OK for my site also, but I'd like to hear
whether it will break someone else's existing deployment.

> it will not support a princ that may be a 
> normal service but must not be used with dup_skey service 
> tickets.

Eh?  It looks to me like it covers that.

> Long term, I'd prefer
> using  KDC_ERR_MUST_USE_USER2USER and report that back to the 
> client when you see that DUP_SKEY is allowed but SVR is not.

Well, kerberos-revisions has defined that error code ...

More information about the krbdev mailing list