Behavior change of krb5_rd_req: what error to return

Greg Hudson ghudson at MIT.EDU
Wed Dec 3 11:16:32 EST 2008

On Wed, 2008-12-03 at 05:11 -0500, Sam Hartman wrote:
> The best solution I have so far is to map KRB5KRB_AP_BAD_INTEGRITY to
> KRB5KRB_AP_WRONG_PRINC in  krb5_rd_req.

That's not exactly how I'd think about it; I'd say
KRB5KRB_AP_BAD_INTEGRITY is a caught exception which just indicates that
the loop should continue, and KRB5KRB_AP_WRONG_PRINC indicates that the
loop finished without finding a match.

> We could actually do a bit better than that.  we could see if the
> principal in the ticket happens to match any of the principals we've
> tried and return BAD_INTEGRITY in that case.  Doing so will keep the
> behavior very close to what we expect today.  However  as people start using aliases on the KDC you will get into more and more situations where we cannot actually tell whether the principal is correct so we'll have to guess WRONG_PRINC instead of BAD_INTEGRITY.

Agreed, if we accept the assumption that servers do not know how to
compare client-provided principal names against keytab principals in the
general case.

More information about the krbdev mailing list