capaths questions

Sam Hartman hartmans at MIT.EDU
Fri May 14 14:32:36 EDT 2004

>>>>> "Douglas" == Douglas E Engert <deengert at> writes:

    Douglas> Derek Atkins wrote:
    >>  "Douglas E. Engert" <deengert at> writes:
    >> > setenv KRB5_CONFIG /tmp/dee.capath.conf > ./t_walk_rtree
    >> >
    >> > krbtgt/RAEBURN.ORG at RAEBURN.ORG >
    >> krbtgt/ATHENA.MIT.EDU at RAEBURN.ORG >
    >> krbtgt/DEMENTIA.ORG at ATHENA.MIT.EDU >
    >> >
    >> > Without the SECURE-ENDPOINTS.COM = ATHENA.MIT.EDU line > it
    >> assumes that RAEBURN.ORG shares keys with DEMENTIA.ORG
    >> I guess Sam's question (or at least MY quesiton) is: WHY does
    >> it make this assumption?  It's clear from the configuration
    >> that I need to go through ATHENA to get to DEMENTIA.  So why
    >> doesn't the capath code recurse through the configuration for
    >> every step in the path?

    Douglas> Because that is the way it was written. Any mod more
    Douglas> complicated then this would not have been accepted into
    Douglas> the source code at that time. This was a big improvment
    Douglas> over the need to walk the realm tree and require realms
    Douglas> like ORG to share keys with a EDU realm. We got the MIT
    Douglas> people to accept this, but never got the DCE people to
    Douglas> accept it. (Let alone Microsoft that did not use Kerberos
    Douglas> then.)

OK.  Well we're thinking of changing things not require the duplicate
line.  I.E. you would only need one LHS for any given realm.  We can
do so in a backward compatible manner.

    Douglas> I think I can also come up with examples, where depending
    Douglas> on the user vs service realms there may be different
    Douglas> acceptable paths between intermediate nodes.

Can you come up with examples where the current code gives you
flexibility that the new code does not and where this flexibility is

More information about the krbdev mailing list