disallow requests naming principal as a service
Matt Crawford
crawdad at fnal.gov
Tue Mar 26 10:19:00 EST 2002
> Thanks Nico, this solution looks OK to me.
>
> It modifies the current semantics of KRB5_KDB_DISALLOW_SVR
> a bit -- hope that's OK. Besides allowing U2U on a princ that is
> set DISALLOW_SVR,
The proposed change is OK for my site also, but I'd like to hear
whether it will break someone else's existing deployment.
> it will not support a princ that may be a
> normal service but must not be used with dup_skey service
> tickets.
Eh? It looks to me like it covers that.
> Long term, I'd prefer
> using KDC_ERR_MUST_USE_USER2USER and report that back to the
> client when you see that DUP_SKEY is allowed but SVR is not.
Well, kerberos-revisions has defined that error code ...
More information about the krbdev
mailing list