capaths questions

Jeffrey Altman jaltman at
Tue May 18 10:50:06 EDT 2004

Here is my take on the situation:

   1. The current requirement that all paths be specified is too
      complicated for the most common cases in which the recursive path
      traversal in the client would be just fine.  Therefore, I would
      like to see recursive path traversal be used when an explicit path
      is not specified.
   2. KDC checking of the transitive path should be optional.  I like
      Doug's suggestion of the NO_KDC_CHECK and KDC_CHECK_ALL bits.  In
      general I believe that the final determination of whether a path
      should be accepted or not is the responsibility of the application
      service.  Of course, if there are certain paths that a realm
      administrator does not want to trust it should be able to prevent
      the KDC from issuing service tickets.  But it should be an option
      and not a requirement.

More information about the krbdev mailing list