disallow requests naming principal as a service
Douglas E. Engert
deengert at anl.gov
Wed Mar 27 07:58:00 EST 2002
I would look at this a little differently. The KDC_ERR_MUST_USE_USER2USER
flag's name is misleading. What the KDC is saying, is it won't issue a
normal service ticket for this principal, but it could issue a u2u ticket.
This is advising the client that if it wants a service ticket, this is the only
way to get one. Maybe the flag should be called
KDC_ERR_NO_NORMAL_SRV_TICKET_BUT_USER2USER_MIGHT_WORK :-)
Sam Hartman wrote:
>
> >>>>> "John" == John Brezak <jbrezak at windows.microsoft.com> writes:
>
> John> Since the response is not authenticated, the client should
> John> not wholely depend on the KDC to guide its action.
>
> John> Ultimately, the client's policy should determine what action
> John> to take when the KDC is not able to provide a ticket for the
> John> requested service. However, it would become very
> John> inefficient for the client to always try user2user if the
> John> KDC failed to return a service ticket.
>
> My argument is that you shouldn't design a protocol that requires the
> client to depend on the KDC. By the time the client asks for a
> Kerberos ticket it should already be committed to the non-u2u or U2U
> protocol.
>
> In the case of SASL or GSSAPI applications, the server should offer
> the normal krb5 mechanism only when it has a service key, and a U2U
> mechanism only when it has a TGT.
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list