referrals in 1.6
Jeffrey Altman
jaltman at secure-endpoints.com
Tue Feb 27 09:08:07 EST 2007
Mark Phalan wrote:
>> Mark> 3. When the fallback path is taken in krb5_get_cred_from_kdc (i.e.
>> Mark> the server princ has "" for its realm) and a cred is returned
>> Mark> for that server (i.e. success) the original realm'less server
>> Mark> princ is returned.
>>
>> Mark> z5# klist
>> Mark> Ticket cache: FILE:/tmp/krb5cc_0
>> Mark> Default principal: mark at Z5.ACME.COM
>>
>> Mark> Valid starting Expires Service principal
>> Mark> 02/23/07 06:53:42 02/23/07 16:53:42 krbtgt/Z5.ACME.COM at Z5.ACME.COM
>> Mark> renew until 02/24/07 06:53:42
>> Mark> 02/23/07 06:55:18 02/23/07 16:53:42 krbtgt/ACME.COM at Z5.ACME.COM
>> Mark> renew until 02/24/07 06:53:42
>> Mark> 02/23/07 06:55:18 02/23/07 16:53:42 host/z4.acme.com@
>> Mark> renew until 02/24/07 06:53:42
>> Mark> ^^^^^^^^^^
>> Mark> No Realm.
>> Mark> Is this expected behaviour?
>>
>>
>> Yes. If you do anything else, you won't cache the resulting
>> principal.
>>
>
> Ok, makes sense. It is however slightly confusing when referrals are NOT
> used.
Would it have been less confusing if the name of the service principal were:
host/z4.acme.com at RESERVED:KDC-REFERRAL:
Jeffrey Altman
Secure Endpoints Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070227/d3351624/attachment.bin
More information about the krbdev
mailing list